CVE-2026-25240

9.8 CRITICAL

SQL Injection

📋 TL;DR

This SQL injection vulnerability in PEAR's user::maintains() function allows attackers to execute arbitrary SQL commands when role filters are provided as arrays. It affects all PEAR installations prior to version 1.33.0 that use the vulnerable function with array inputs.

💻 Affected Systems

Products:

• PEAR (PHP Extension and Application Repository)

Versions: All versions prior to 1.33.0

Operating Systems: All operating systems running PHP

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability only triggers when role filters are passed as arrays to user::maintains() function.

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full database compromise including data exfiltration, modification, or deletion, and potential privilege escalation to execute system commands via database functions.

🟠

Likely Case

Unauthorized data access and potential data manipulation in the PEAR database, possibly exposing user information, package metadata, or authentication data.

🟢

If Mitigated

Limited impact if proper input validation and parameterized queries are already implemented elsewhere in the application.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires ability to pass array parameters to the vulnerable function, which typically requires some level of application access.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.33.0

Vendor Advisory: https://github.com/pear/pearweb/security/advisories/GHSA-xw9g-5gr2-c44f

Restart Required: No

Instructions:

1. Update PEAR to version 1.33.0 or later using: pear upgrade pear
2. Verify the update completed successfully
3. Test application functionality that uses user::maintains() function

🔧 Temporary Workarounds

Input Validation Workaround

all

Implement strict input validation for role filter parameters before passing to user::maintains()

Parameterized Query Implementation

all

Modify user::maintains() to use prepared statements with parameter binding instead of string interpolation

🧯 If You Can't Patch

• Implement web application firewall (WAF) rules to detect and block SQL injection patterns
• Restrict database user permissions to minimum required for application functionality

🔍 How to Verify

Check if Vulnerable:

Copy

Check PEAR version using: pear version | grep 'PEAR Version'

Check Version:

Copy

pear version | grep 'PEAR Version'

Verify Fix Applied:

Copy

Confirm version is 1.33.0 or higher using: pear version

📡 Detection & Monitoring

Log Indicators:

• Unusual database queries from PEAR application
• SQL syntax errors in application logs
• Multiple failed login attempts or authorization checks

Network Indicators:

• Unusual database connection patterns from application servers

SIEM Query:

Copy

source="application.log" AND "user::maintains" AND ("SQL" OR "database error")

📊 Metadata

CVE ID: CVE-2026-25240

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: February 3, 2026

Last Updated: February 5, 2026

🤖 AI-assisted analysis, reviewed for accuracy

🔗 References

• https://github.com/pear/pearweb/security/advisories/GHSA-xw9g-5gr2-c44f Vendor Advisory

📤 Share & Export

Twitter LinkedIn Reddit Copy Link

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-25240, you might also want to check these:

CVE-2025-10878 10.0

An unauthenticated SQL injection vulnerability in Fikir Odalari AdminPando 1.0.1 allows attackers to...

Same vulnerability type (CWE-89)

CVE-2025-63689 10.0

Multiple SQL injection vulnerabilities in the ycf1998 money-pos system allow remote attackers to exe...

Same vulnerability type (CWE-89)

CVE-2025-57792 10.0

CVE-2025-57792 is a critical SQL injection vulnerability in Explorance Blue software that allows una...

Same vulnerability type (CWE-89)