CVE-2026-3057 - Vulnerability Details

- a54552239 pearProjectApi Backend Task.php dateTotalForProject sql injection

Description

A security flaw has been discovered in a54552239 pearProjectApi up to 2.8.10. Affected is the function dateTotalForProject of the file application/common/Model/Task.php of the component Backend Interface. The manipulation of the argument projectCode results in sql injection. The attack can be launched remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

Published: 2026-02-24

Score: 5.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A security flaw exists in the pearProjectApi back‑end component. The dateTotalForProject function in Task.php accepts a projectCode parameter without proper sanitization, enabling an attacker to inject arbitrary SQL statements. This flaw aligns with CWE‑74 (SQL Injection) and CWE‑89 (Improper neutralization of special elements in an SQL command). If exploited, the attacker can read, modify, or delete data within the database, compromising confidentiality and integrity.

Affected Systems

The vulnerability affects the pearProjectApi product, version 2.8.10 and earlier. No later versions are disclosed as patched. Users running any supported release prior to 2.8.10 are at risk.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate impact. The EPSS score of less than 1% suggests that automated exploitation is currently rare, yet public exploit code has been released, making manual attacks feasible. The vulnerability is not listed in the CISA KEV catalog, but the existence of public exploits increases the potential for targeted attacks. Attackers can trigger the flaw remotely by sending a crafted request containing a malicious projectCode value, which the unprotected SQL statement then executes on the server.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

a54552239

pearProjectApi

affected

Version	Status	Constraints
`2.8.0`	affected	—
`2.8.1`	affected	—
`2.8.2`	affected	—
`2.8.3`	affected	—
`2.8.4`	affected	—
`2.8.5`	affected	—
`2.8.6`	affected	—
`2.8.7`	affected	—
`2.8.8`	affected	—
`2.8.9`	affected	—
`2.8.10`	affected	—

Configuration 1 [-]

cpe:2.3:a:a54552239:pearprojectapi:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

A54552239

Pearprojectapi

95%

Version	Status	Scheme	Platform
`2.8.0`	affected	semver	—
`2.8.1`	affected	semver	—
`2.8.2`	affected	semver	—
`2.8.3`	affected	semver	—
`2.8.4`	affected	semver	—
`2.8.5`	affected	semver	—
`2.8.6`	affected	semver	—
`2.8.7`	affected	semver	—
`2.8.8`	affected	semver	—
`2.8.9`	affected	semver	—
`2.8.10`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade pearProjectApi to a version newer than 2.8.10 once available
If an upgrade is not immediately possible, implement input validation to ensure projectCode contains only expected characters
Modify the data access layer to use parameterized queries or prepared statements, eliminating direct string interpolation of projectCode
Restrict API access to authenticated and authorized users only
Monitor database logs for abnormal query patterns indicative of injection attempts

Generated by OpenCVE AI on April 18, 2026 at 10:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00014.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/XiaoyuZhou1997/CVE/issues/1
https://github.com/XiaoyuZhou1997/CVE/issues/1#issue-3935708166
https://vuldb.com/?ctiid.347413
https://vuldb.com/?id.347413
https://vuldb.com/?submit.757669

History

Tue, 24 Feb 2026 22:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 24 Feb 2026 03:00:00 +0000

Type	Values Removed	Values Added
Description		A security flaw has been discovered in a54552239 pearProjectApi up to 2.8.10. Affected is the function dateTotalForProject of the file application/common/Model/Task.php of the component Backend Interface. The manipulation of the argument projectCode results in sql injection. The attack can be launched remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Title		a54552239 pearProjectApi Backend Task.php dateTotalForProject sql injection
First Time appeared		A54552239 A54552239 pearprojectapi
Weaknesses		CWE-74 CWE-89
CPEs		cpe:2.3:a:a54552239:pearprojectapi::::::::
Vendors & Products		A54552239 A54552239 pearprojectapi
References		https://github.com/XiaoyuZhou1997/CVE/issues/1 https://github.com/XiaoyuZhou1997/CVE/issues/1#issue-3935708166 https://vuldb.com/?ctiid.347413 https://vuldb.com/?id.347413 https://vuldb.com/?submit.757669
Metrics		cvssV2_0 `{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

A54552239 Pearprojectapi

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-02-24T02:02:08.977Z

Updated: 2026-02-24T20:42:56.315Z

Reserved: 2026-02-23T18:04:37.334Z

Link: CVE-2026-3057

Vulnrichment

Updated: 2026-02-24T20:42:49.851Z

NVD

Status : Analyzed

Published: 2026-02-24T03:16:03.190

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-3057

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-18T11:00:05Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object