CVE-2026-25239
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2026-02-03

Last updated on: 2026-02-05

Assigner: GitHub, Inc.

Description
PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, a SQL injection vulnerability in apidoc queue insertion can allow query manipulation if an attacker can influence the inserted filename value. This issue has been patched in version 1.33.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-03
Last Modified
2026-02-05
Generated
2026-06-16
AI Q&A
2026-02-03
EPSS Evaluated
2026-06-14
NVD
CVE-2026-25239
EUVD
EUVD-2026-5196
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
pear pearweb to 1.33.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability is a SQL injection that allows an attacker to manipulate database queries, potentially compromising database integrity and security.

Such a compromise could lead to unauthorized access or modification of sensitive data, which may impact compliance with data protection regulations like GDPR and HIPAA that require safeguarding personal and health information.

However, the provided information does not explicitly discuss the direct effects of this vulnerability on compliance with these standards.

Executive Summary

CVE-2026-25239 is a critical SQL injection vulnerability in the pearweb project, specifically in the apidoc_queue insertion process. The vulnerability occurs because the SQL INSERT statement is constructed by directly concatenating a filename variable into the query without proper sanitization or escaping. This allows an attacker who can control the filename value to manipulate the SQL query, potentially executing arbitrary SQL commands.

Impact Analysis

This vulnerability can allow an attacker to execute arbitrary SQL commands on the database. This can lead to compromising the integrity and security of the database, including unauthorized data access, data modification, or deletion.

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by inspecting the source code for unsafe SQL query constructions involving the apidoc_queue insertion, specifically looking for concatenation of unsanitized filename variables into SQL statements.'}, {'type': 'paragraph', 'content': 'On a system where the vulnerable PEAR version is installed, you can check the version of pearweb to confirm if it is prior to 1.33.0, which is vulnerable.'}, {'type': 'paragraph', 'content': 'Since the vulnerability involves SQL injection via the filename variable, monitoring database logs for suspicious or malformed SQL queries involving the apidoc_queue table may help detect exploitation attempts.'}, {'type': 'list_item', 'content': 'Check the installed pearweb version: `pear version` or inspect the pearweb package version in your environment.'}, {'type': 'list_item', 'content': 'Search the source code for unsafe SQL query concatenation patterns, e.g., `grep -r "VALUES (\'" . $file . "\'" ." include/`.'}, {'type': 'list_item', 'content': 'Review database logs for unusual queries on the apidoc_queue table that include unexpected or malicious filename values.'}] [1]

Mitigation Strategies

The immediate mitigation step is to upgrade the pearweb framework to version 1.33.0 or later, where this SQL injection vulnerability has been patched.

If upgrading immediately is not possible, apply input validation and sanitization on the filename variable before it is used in SQL queries to prevent injection.

Additionally, review and modify the code to use parameterized queries or prepared statements instead of directly concatenating variables into SQL commands.

Monitor your systems and database logs for any signs of exploitation attempts and restrict access to the vulnerable functionality where possible.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-25239. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart