Description
PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, a SQL injection vulnerability can occur in user::maintains() when role filters are provided as an array and interpolated into an IN (...) clause. This issue has been patched in version 1.33.0.
Published: 2026-02-03
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: SQL Injection
Action: Apply Patch
AI Analysis

Impact

The vulnerability arises when role filter arrays are directly interpolated into an IN(...) clause within the user::maintains() method of the PEAR framework. This flaw allows an attacker to inject crafted SQL code that can read, modify, or delete data in the underlying database, thereby compromising data confidentiality and integrity. The weakness is a classic injection flaw (CWE-89) identified in the source code prior to version 1.33.0.

Affected Systems

The affected product is the PEAR distribution system, specifically versions prior to 1.33.0 of pearweb. Users running any older version of PEAR that includes the user::maintains() component are potentially exposed. The update to version 1.33.0 addresses the issue.

Risk and Exploitability

The CVSS score of 6.9 indicates a moderate severity, and the EPSS score of less than 1% suggests a low probability of exploitation at this time. The vulnerability is not listed in the CISA KEV catalog, implying no confirmed exploitation in the wild yet. The likely attack vector is through the web interface or API that submits role filter arrays, requiring the attacker to supply malicious input or influence user-controlled parameters. If exploited, an attacker could retrieve or alter sensitive database content. The high complexity of the injection may require some knowledge of the database schema.

Generated by OpenCVE AI on April 18, 2026 at 00:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update PEAR to version 1.33.0 or later to apply the vendor patch.
  • Validate role filter values against an explicit whitelist before building the IN clause to prevent injection of malicious strings.
  • If the update cannot be applied immediately, remove or restrict any publicly accessible interfaces that accept arbitrary role filter arrays until the patch is installed.

Generated by OpenCVE AI on April 18, 2026 at 00:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 05 Feb 2026 18:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:pear:pearweb:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 04 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 04 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Pear
Pear pearweb
Vendors & Products Pear
Pear pearweb

Tue, 03 Feb 2026 19:00:00 +0000

Type Values Removed Values Added
Description PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, a SQL injection vulnerability can occur in user::maintains() when role filters are provided as an array and interpolated into an IN (...) clause. This issue has been patched in version 1.33.0.
Title PEAR is Vulnerable to SQL Injection in user::maintains() Role IN() Filter
Weaknesses CWE-89
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Pear Pearweb
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-04T21:17:16.583Z

Reserved: 2026-01-30T14:44:47.329Z

Link: CVE-2026-25240

cve-icon Vulnrichment

Updated: 2026-02-04T21:17:13.666Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-03T19:16:25.300

Modified: 2026-02-05T17:56:13.807

Link: CVE-2026-25240

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T00:15:31Z

Weaknesses