CVE-2026-25238
BaseFortify
Publication date: 2026-02-03
Last updated on: 2026-02-05
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| pear | pearweb | to 1.33.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-25238 is a critical SQL injection vulnerability in the PEAR framework's bug subscription deletion feature, affecting versions prior to 1.33.0."}, {'type': 'paragraph', 'content': 'The vulnerability occurs because the email validation uses an unanchored regular expression that can accept crafted inputs containing valid-looking email substrings, allowing attackers to bypass validation.'}, {'type': 'paragraph', 'content': 'Then, the SQL query that deletes subscriptions concatenates user inputs (bug_id, unsubscribe_hash, and email) directly into the SQL statement without proper sanitization or parameterization.'}, {'type': 'paragraph', 'content': 'This allows attackers to inject malicious SQL code via a crafted email value, potentially executing unauthorized SQL commands.'}] [1]
How can this vulnerability impact me? :
This vulnerability can allow attackers to execute unauthorized SQL commands on the affected system.
Such unauthorized SQL execution can lead to data leakage, data modification, or deletion, compromising the integrity and confidentiality of the database.
It may also allow attackers to escalate privileges or disrupt normal application functionality.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for suspicious or malformed email inputs in the bug subscription deletion requests, especially those that might contain SQL injection payloads. Since the vulnerability involves SQL injection via the email parameter, analyzing logs for unusual patterns or attempts to inject SQL code in the email field is recommended.
Specific commands are not provided in the available resources, but typical detection methods include using web application firewalls (WAF) with SQL injection detection rules, or running manual or automated scans targeting the bug subscription deletion functionality with crafted email inputs.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the pearweb project to version 1.33.0 or later, where the vulnerability has been patched.
Until the upgrade can be applied, consider implementing input validation and sanitization on the email parameter to prevent SQL injection, or restrict access to the bug subscription deletion functionality to trusted users only.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows attackers to perform unauthorized SQL injection attacks, potentially leading to unauthorized access, modification, or deletion of data stored in the affected system.
Such unauthorized access or data breaches could result in non-compliance with data protection regulations like GDPR or HIPAA, which require organizations to protect personal and sensitive information from unauthorized access and ensure data integrity.
Therefore, if exploited, this vulnerability could compromise the confidentiality and integrity of data, impacting compliance with these common standards and regulations.