The vulnerability is a classic SQL injection in the /get/<package>/<version> endpoint of the Pearweb framework. Because the endpoint does not enforce authentication and directly interpolates the package version into an SQL query, a remote attacker can forge requests that inject arbitrary SQL statements. Successful exploitation gives the attacker read or write access to the underlying database, allowing theft or modification of data and potentially full control over the application. The weakness is listed as CWE‑89: Improper Neutralization of Special Elements used in an SQL Command.

The flaw exists in Pearweb, the PHP component distribution system provided by the Pear project. All releases older than 1.33.0 are affected. The vulnerability is exposed through the publicly accessible web endpoint /get/<package>/<version> and can be triggered by any user without authentication.

The CVSS base score of 9.3 indicates critical severity, while the EPSS probability of less than 1% suggests that, in practice, exploitation has not been observed or is unlikely at present. The issue is not listed in the CISA KEV catalog, meaning there is no evidence of widespread exploitation. However, the unauthenticated nature of the attack and the potential to compromise the database make it a high‑risk target for threat actors. An attacker can simply send a crafted HTTP request to the vulnerable endpoint from any network site with access to the Pearweb server.