CVE-2026-25236
BaseFortify
Publication date: 2026-02-03
Last updated on: 2026-02-05
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| pear | pearweb | to 1.33.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability is a SQL injection flaw that allows an attacker to execute unintended SQL commands, potentially compromising database security.
Such a compromise could lead to unauthorized access or manipulation of sensitive data, which may impact compliance with data protection standards and regulations like GDPR and HIPAA that require safeguarding personal and health information.
However, the provided information does not explicitly describe the direct effects on compliance with these standards.
Can you explain this vulnerability to me?
CVE-2026-25236 is a moderate severity SQL injection vulnerability found in the Damblan_Karma component of the PEAR framework, specifically in the karma queries within the file include/Damblan/Karma.php.
The issue occurs because the code uses PEAR DB literal substitution for an SQL IN() clause, where a constructed string of levels is directly substituted without proper quoting or escaping. This bypasses the normal mechanisms that neutralize special SQL characters.
As a result, an attacker who can influence the levels list can inject arbitrary SQL code, leading to unintended execution of SQL commands. This vulnerability corresponds to CWE-89 (Improper Neutralization of Special Elements used in an SQL Command).
The vulnerability affects PEAR versions prior to 1.33.0 and was fixed in version 1.33.0.
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': 'This vulnerability can allow an attacker to execute arbitrary SQL commands on the affected database by injecting malicious SQL code through the karma queries.'}, {'type': 'paragraph', 'content': 'Such unauthorized SQL execution can lead to compromise of database security, including unauthorized data access, data modification, or data deletion.'}, {'type': 'paragraph', 'content': "The impact includes potential loss of data integrity, confidentiality, and availability depending on the attacker's actions."}] [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability involves SQL injection in the karma queries of the Damblan_Karma component, specifically due to unsafe literal substitution in SQL IN() clauses.'}, {'type': 'paragraph', 'content': 'To detect this vulnerability on your system, you can check the version of the PEAR framework installed. Versions prior to 1.33.0 are vulnerable.'}, {'type': 'paragraph', 'content': 'Additionally, you can review or audit the source code, especially the file include/Damblan/Karma.php, for usage of literal substitution in SQL queries involving IN() clauses.'}, {'type': 'paragraph', 'content': 'For active detection, you might attempt to test the karma queries with crafted inputs that include SQL special characters to see if injection is possible.'}, {'type': 'list_item', 'content': 'Check PEAR version: `pear version` or inspect the installed package version.'}, {'type': 'list_item', 'content': 'Search for vulnerable code patterns: `grep -r "IN (!" include/Damblan/Karma.php`'}, {'type': 'list_item', 'content': 'Perform SQL injection testing on the karma query endpoints using tools like sqlmap or manual injection payloads.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade the PEAR framework to version 1.33.0 or later, where this SQL injection vulnerability has been patched.
If upgrading immediately is not possible, review and modify the code in include/Damblan/Karma.php to avoid unsafe literal substitution in SQL queries, ensuring proper quoting and escaping of inputs.
Additionally, restrict or sanitize any user inputs that influence the levels list used in the karma queries to prevent injection.
Implement database access controls and monitoring to detect and prevent suspicious SQL activity.