CVE-2026-25236 is a SQL injection vulnerability identified in the pearweb component of the PEAR PHP framework, specifically affecting versions prior to 1.33.0. The vulnerability stems from improper neutralization of special elements in SQL commands (CWE-89), where unsafe literal substitution is used in constructing SQL queries for karma-related data, particularly within an IN (...) list clause. This unsafe coding practice allows an unauthenticated attacker to inject arbitrary SQL commands remotely without user interaction, potentially leading to unauthorized data access or modification. The vulnerability does not require privileges or user interaction, making it easier to exploit. The CVSS v4.0 base score is 6.9, indicating a medium severity level, with network attack vector, low attack complexity, no privileges or user interaction needed, and limited impact on confidentiality and integrity. Although no known exploits are currently reported in the wild, the vulnerability poses a significant risk to applications relying on pearweb for PHP component management and distribution. The issue has been addressed and patched in pearweb version 1.33.0, and users are strongly advised to upgrade. The vulnerability highlights the importance of using parameterized queries and proper input sanitization to prevent SQL injection attacks in PHP applications.

For European organizations, the impact of CVE-2026-25236 can be significant if pearweb is integrated into their PHP development or deployment environments. Successful exploitation could allow attackers to execute arbitrary SQL commands, leading to unauthorized data disclosure, data manipulation, or corruption within affected systems. This compromises data confidentiality and integrity, potentially affecting sensitive business or user information. The vulnerability's remote exploitability without authentication increases the risk of widespread attacks, especially in web-facing applications. Organizations relying on pearweb for package management or internal tools may face operational disruptions or reputational damage if exploited. Although availability impact is not indicated, data integrity and confidentiality breaches could trigger compliance issues under GDPR and other European data protection regulations. The medium severity score suggests a moderate but actionable risk that should be addressed promptly to avoid escalation or chaining with other vulnerabilities.

1. Upgrade pearweb to version 1.33.0 or later immediately to apply the official patch addressing the SQL injection vulnerability. 2. Conduct a thorough code audit of all PHP applications using pearweb components to identify and remediate any unsafe SQL query constructions, especially those involving dynamic IN (...) lists or literal substitutions. 3. Implement parameterized queries or prepared statements consistently across all database interactions to prevent injection attacks. 4. Employ Web Application Firewalls (WAFs) with SQL injection detection rules tailored to detect and block suspicious query patterns related to pearweb usage. 5. Monitor application logs and database access patterns for unusual or anomalous queries that could indicate exploitation attempts. 6. Educate development teams on secure coding practices focusing on input validation and sanitization to prevent similar vulnerabilities. 7. Review and tighten database user permissions to limit the potential damage of any successful injection attack. 8. If upgrading immediately is not feasible, consider temporarily disabling or restricting access to vulnerable pearweb functionalities until patched.