CVE-2026-25234 is an SQL injection vulnerability classified under CWE-89, found in the pearweb component of the PEAR PHP framework. The flaw exists in the category deletion workflow, where the category ID parameter is improperly sanitized, allowing an attacker with access to the category manager to inject arbitrary SQL commands. This vulnerability arises due to improper neutralization of special elements in SQL commands, enabling manipulation of backend database queries. The vulnerability affects all pearweb versions prior to 1.33.0 and has been addressed in that release. The CVSS v4.0 base score is 5.3, indicating medium severity, with an attack vector of network, low attack complexity, no privileges required beyond category manager access, no user interaction, and limited impact on integrity. Exploitation could allow unauthorized data modification or disclosure, potentially compromising the confidentiality and integrity of the affected system's data. No public exploits have been reported, but the vulnerability poses a risk to any deployment using vulnerable versions. The patch involves proper input validation and use of parameterized queries to prevent SQL injection. Organizations should update to version 1.33.0 or later to remediate this issue.

For European organizations, this vulnerability could lead to unauthorized access or manipulation of sensitive data stored in databases managed via pearweb. The SQL injection could allow attackers to extract confidential information, alter or delete data, or escalate privileges if combined with other vulnerabilities. This undermines data integrity and confidentiality, potentially violating GDPR and other data protection regulations. The requirement for category manager access limits the attack surface but insider threats or compromised credentials could facilitate exploitation. Organizations relying on pearweb for content or category management in PHP environments are at risk, especially if they have not applied the patch. The impact extends to operational disruption if database integrity is compromised. Given the medium severity and no known active exploitation, the immediate risk is moderate but warrants prompt remediation to avoid potential data breaches and compliance issues.

1. Upgrade pearweb to version 1.33.0 or later immediately to apply the official patch addressing the SQL injection vulnerability. 2. Restrict access to the category manager workflow strictly to trusted and authenticated users, employing role-based access controls and multi-factor authentication where possible. 3. Implement additional input validation and sanitization on all user-supplied inputs, especially those interacting with database queries. 4. Use parameterized queries or prepared statements in any custom code interfacing with the database to prevent injection attacks. 5. Monitor logs for unusual database query patterns or access attempts to the category manager interface. 6. Conduct regular security audits and vulnerability scans on PHP-based web applications to detect similar injection flaws. 7. Educate developers and administrators about secure coding practices and the risks of SQL injection. 8. Consider deploying Web Application Firewalls (WAFs) with rules to detect and block SQL injection attempts targeting pearweb endpoints.