CVE-2026-25241
Published: 03 February 2026
Summary
CVE-2026-25241 is a critical-severity SQL Injection (CWE-89) vulnerability in Pear Pearweb. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 12.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly prevents SQL injection by requiring validation of the crafted package version input in the /get/<package>/<version> endpoint to block arbitrary SQL execution.
Ensures timely patching of the specific unauthenticated SQL injection flaw in PEAR versions prior to 1.33.0 to eliminate the vulnerability.
Facilitates detection of the SQL injection vulnerability through regular scanning, enabling proactive remediation before exploitation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated SQLi in a public web endpoint (/get/<package>/<version>) directly enables T1190 (Exploit Public-Facing Application) for initial access; arbitrary SQL execution on the backend database also directly facilitates T1213.006 (Data from Information Repositories: Databases) for extraction or modification.
NVD Description
PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, an unauthenticated SQL injection in the /get/<package>/<version> endpoint allows remote attackers to execute arbitrary SQL via a crafted package version. This issue has been patched…
more
in version 1.33.0.
Deeper analysisAI
CVE-2026-25241 is an unauthenticated SQL injection vulnerability (CWE-89) in PEAR, a framework and distribution system for reusable PHP components. The flaw affects PEAR versions prior to 1.33.0 and resides in the /get/<package>/<version> endpoint, where remote attackers can execute arbitrary SQL queries by supplying a crafted package version. It carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its network accessibility, low attack complexity, and lack of prerequisites.
Unauthenticated remote attackers can exploit this vulnerability over the network without privileges or user interaction. By crafting a malicious package version parameter in requests to the affected endpoint, attackers can inject and execute arbitrary SQL, potentially extracting sensitive data, modifying database contents, or disrupting service availability.
The GitHub security advisory at https://github.com/pear/pearweb/security/advisories/GHSA-63fv-vpq5-gv8p details the issue, confirming that it has been patched in PEAR version 1.33.0. Security practitioners should upgrade to this version or later to mitigate the vulnerability.
Details
- CWE(s)