CVE-2026-25236 is an SQL injection vulnerability classified under CWE-89 that affects pearweb, a component of the PEAR PHP framework used for reusable PHP components. The vulnerability exists in versions prior to 1.33.0 due to unsafe literal substitution in SQL queries related to karma queries, specifically when constructing an IN (...) list. This improper neutralization of special elements in SQL commands allows an attacker to inject malicious SQL code remotely without requiring authentication or user interaction. The vulnerability can lead to unauthorized modification of data integrity, such as altering or corrupting database records, though it does not directly impact confidentiality or availability. The vulnerability was publicly disclosed on February 3, 2026, and has been assigned a CVSS 4.0 base score of 6.9, indicating medium severity. No known exploits have been reported in the wild to date. The issue was addressed in pearweb version 1.33.0, which includes patches to safely handle literal substitutions in SQL queries. The vulnerability's ease of exploitation, combined with the widespread use of PEAR components in PHP applications, makes it a relevant threat to organizations using pearweb in their web infrastructure.

For European organizations, this vulnerability poses a risk primarily to web applications built on PHP that incorporate pearweb components prior to version 1.33.0. Successful exploitation could allow attackers to manipulate database queries, potentially leading to data corruption or unauthorized data modification. While the vulnerability does not directly compromise confidentiality or availability, the integrity impact could disrupt business operations, especially for applications relying on karma queries for critical functionality. Organizations in sectors such as finance, healthcare, and e-commerce, where data integrity is paramount, could face operational disruptions or reputational damage if exploited. The remote, unauthenticated nature of the vulnerability increases the risk of automated scanning and exploitation attempts, particularly on public-facing web servers. Given the absence of known exploits, the immediate risk is moderate, but delayed patching could increase exposure. The impact is compounded in environments lacking robust input validation and web application firewalls.

1. Upgrade pearweb to version 1.33.0 or later immediately to apply the official patch addressing the SQL injection vulnerability. 2. Conduct a thorough code review of all PHP applications using pearweb components to identify and remediate any unsafe SQL query constructions, especially those involving dynamic IN (...) lists. 3. Implement parameterized queries or prepared statements wherever possible to prevent SQL injection risks. 4. Deploy web application firewalls (WAFs) configured to detect and block SQL injection attempts targeting known vulnerable endpoints. 5. Enforce strict input validation and sanitization on all user-supplied data, particularly inputs that influence database queries. 6. Monitor application logs and network traffic for unusual query patterns or injection attempts. 7. Educate development teams on secure coding practices related to database interactions to prevent similar vulnerabilities in the future. 8. Establish a patch management process to ensure timely updates of third-party components like pearweb.