CVE-2026-25238 – A SQL injection vulnerability in PEAR's bug sub... (How to Fix)

📋 TL;DR

A SQL injection vulnerability in PEAR's bug subscription deletion feature allows attackers to execute arbitrary SQL commands by manipulating email values. This affects all PEAR installations prior to version 1.33.0 that use the bug subscription functionality. Attackers could potentially read, modify, or delete database contents.

💻 Affected Systems

Products:

PEAR (PHP Extension and Application Repository)

Versions: All versions prior to 1.33.0

Operating Systems: All operating systems running PHP

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects installations with bug subscription functionality enabled. PEARweb installations are specifically vulnerable.

📦 What is this software?

Pearweb by Pear

View all CVEs affecting Pearweb →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including data exfiltration, modification, or deletion; potential privilege escalation to execute arbitrary code on the database server.

🟠

Likely Case

Unauthorized access to bug tracking data, potential exposure of user information, and manipulation of bug subscription records.

🟢

If Mitigated

Limited impact to bug subscription functionality only, with proper input validation and database permissions restricting damage.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires access to bug subscription deletion functionality. The vulnerability is in email parameter handling during subscription deletion.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.33.0

Vendor Advisory: https://github.com/pear/pearweb/security/advisories/GHSA-cv3c-27h5-7gmv

Restart Required: No

Instructions:

1. Update PEAR to version 1.33.0 or later using: pear upgrade pear
2. Verify the update completed successfully
3. No service restart required for PHP applications

🔧 Temporary Workarounds

Disable bug subscription functionality

all

Temporarily disable the vulnerable bug subscription deletion feature until patching is possible

Implement input validation

all

Add email validation and parameterized queries to the bug subscription deletion code

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to block SQL injection patterns in email parameters
Restrict database user permissions to minimize potential damage from successful exploitation

🔍 How to Verify

Check if Vulnerable:

Check PEAR version with: pear version | grep 'PEAR Version'

Check Version:

pear version | grep 'PEAR Version'

Verify Fix Applied:

Confirm version is 1.33.0 or higher: pear version | grep 'PEAR Version'

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in database logs
Multiple failed bug subscription deletion attempts
Suspicious email patterns in application logs

Network Indicators:

Unusual database connection patterns from web server
SQL error messages in HTTP responses

SIEM Query:

source="web_logs" AND ("bug subscription" OR "email=") AND (sql OR injection OR "' OR ")

📊 Metadata

CVE ID: CVE-2026-25238

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

EPSS Score: 0.04% exploit probability (11.2th percentile)

Published: February 3, 2026

Last Updated: February 5, 2026

🔗 References

https://github.com/pear/pearweb/security/advisories/GHSA-cv3c-27h5-7gmv Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-25238, you might also want to check these: