CVE-2026-25234 – This SQL injection vulnerability in PEAR's cate... (How to Fix)

Q: What is the severity of CVE-2026-25234?

CVE-2026-25234 has a CVSS score of 9.8 (CRITICAL). This SQL injection vulnerability in PEAR's category deletion function allows attackers with category manager access to execute arbitrary SQL commands. It affects PEAR installations prior to version 1.33.0 where users have category management privileges.

📋 TL;DR

This SQL injection vulnerability in PEAR's category deletion function allows attackers with category manager access to execute arbitrary SQL commands. It affects PEAR installations prior to version 1.33.0 where users have category management privileges.

💻 Affected Systems

Products:

PEAR (PHP Extension and Application Repository)

Versions: All versions prior to 1.33.0

Operating Systems: All operating systems running PHP

Default Config Vulnerable: ⚠️ Yes

Notes: Requires attacker to have category manager access; default installations with admin users are vulnerable.

📦 What is this software?

Pearweb by Pear

View all CVEs affecting Pearweb →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including data theft, modification, or deletion; potential privilege escalation to system-level access.

🟠

Likely Case

Unauthorized data access or modification within the PEAR database, potentially affecting other users' packages or system integrity.

🟢

If Mitigated

Limited impact due to proper access controls and input validation preventing successful exploitation.

🌐 Internet-Facing: MEDIUM - Requires authenticated access but internet-facing admin interfaces could be targeted.

🏢 Internal Only: MEDIUM - Internal attackers with category manager privileges could exploit this vulnerability.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access to category management functionality; SQL injection is typically straightforward to exploit.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.33.0

Vendor Advisory: https://github.com/pear/pearweb/security/advisories/GHSA-q28j-3p7r-6722

Restart Required: No

Instructions:

1. Backup your current PEAR installation and database. 2. Update PEAR using: pear upgrade pear. 3. Verify the version with: pear version. 4. Ensure version shows 1.33.0 or higher.

🔧 Temporary Workarounds

Restrict Category Manager Access

all

Limit category management privileges to only essential trusted users.

Input Validation Filter

all

Implement additional input validation for category ID parameters before processing.

🧯 If You Can't Patch

Implement strict input validation and parameterized queries for all category management functions.
Apply network segmentation and restrict access to PEAR admin interfaces to trusted IP addresses only.

🔍 How to Verify

Check if Vulnerable:

Check PEAR version with: pear version | grep -i pear. If version is below 1.33.0, system is vulnerable.

Check Version:

pear version | grep -i pear

Verify Fix Applied:

Run: pear version and confirm output shows version 1.33.0 or higher.

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in database logs
Multiple failed category deletion attempts
Suspicious category ID patterns in application logs

Network Indicators:

Unusual traffic to category management endpoints
SQL error messages in HTTP responses

SIEM Query:

source="*pear*" AND ("category" AND "delete") AND (sql OR injection OR error)

📊 Metadata

CVE ID: CVE-2026-25234

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

EPSS Score: 0.03% exploit probability (8.9th percentile)

Published: February 3, 2026

Last Updated: February 5, 2026

🔗 References

https://github.com/pear/pearweb/security/advisories/GHSA-q28j-3p7r-6722 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-25234, you might also want to check these: