CVE-2026-25236 – This CVE describes a SQL injection vulnerabilit... (How to Fix)

📋 TL;DR

This CVE describes a SQL injection vulnerability in PEAR, a PHP component framework, where unsafe literal substitution in karma queries allows attackers to inject malicious SQL. Systems using PEAR versions before 1.33.0 are affected. The vulnerability could allow unauthorized database access or manipulation.

💻 Affected Systems

Products:

PEAR (PHP Extension and Application Repository)

Versions: All versions prior to 1.33.0

Operating Systems: All operating systems running PHP with PEAR

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems using PEAR's karma query functionality. The vulnerability is in the pearweb component.

📦 What is this software?

Pearweb by Pear

View all CVEs affecting Pearweb →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including data theft, modification, or deletion, and potential privilege escalation to execute arbitrary commands on the database server.

🟠

Likely Case

Unauthorized data access or modification in the PEAR database, potentially exposing user information, package metadata, or system configuration.

🟢

If Mitigated

Limited impact with proper input validation and database permissions, potentially only allowing read access to non-sensitive data.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

SQL injection vulnerabilities typically have low exploitation complexity, but specific exploitation details aren't publicly documented.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.33.0

Vendor Advisory: https://github.com/pear/pearweb/security/advisories/GHSA-95mc-p966-c29f

Restart Required: No

Instructions:

1. Update PEAR to version 1.33.0 or later using: pear upgrade pear
2. Verify the update completed successfully
3. Test affected functionality to ensure compatibility

🔧 Temporary Workarounds

Input Validation Enhancement

all

Implement strict input validation for all parameters used in karma queries

Database Permission Restriction

all

Limit database user permissions to minimum required operations

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to block SQL injection patterns
Disable or restrict access to affected karma query functionality if not essential

🔍 How to Verify

Check if Vulnerable:

Check PEAR version with: pear version | grep 'PEAR Version'

Check Version:

pear version | grep 'PEAR Version'

Verify Fix Applied:

Confirm version is 1.33.0 or higher with: pear version

📡 Detection & Monitoring

Log Indicators:

Unusual database query patterns in application logs
SQL syntax errors in PHP error logs
Multiple failed query attempts with special characters

Network Indicators:

Unusual database connection patterns from web servers
SQL error messages in HTTP responses

SIEM Query:

source="*php*" AND ("SQL syntax" OR "mysql_error" OR "pdo_exception") AND "pear"

📊 Metadata

CVE ID: CVE-2026-25236

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

EPSS Score: 0.04% exploit probability (11.2th percentile)

Published: February 3, 2026

Last Updated: February 5, 2026

🔗 References

https://github.com/pear/pearweb/security/advisories/GHSA-95mc-p966-c29f Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-25236, you might also want to check these: