CVE-2026-25241 is a critical SQL injection vulnerability identified in the PEAR pearweb framework, a widely used PHP component distribution system. The flaw exists in versions prior to 1.33.0 within the /get/<package>/<version> endpoint, where the package version parameter is improperly sanitized, allowing an attacker to inject malicious SQL commands. This improper neutralization of special elements (CWE-89) enables unauthenticated remote attackers to execute arbitrary SQL queries against the backend database. The vulnerability does not require any authentication or user interaction, making it highly exploitable over the network. Successful exploitation can lead to unauthorized data disclosure, data modification, or deletion, and potentially full system compromise if the database is critical to application logic. The vulnerability was reserved on January 30, 2026, and published on February 3, 2026, with a CVSS 4.0 base score of 9.3, indicating critical severity. Although no active exploits have been reported, the ease of exploitation and impact on confidentiality, integrity, and availability make this a significant threat. The issue has been addressed in pearweb version 1.33.0, which includes proper input validation and sanitization to prevent SQL injection attacks.

For European organizations, this vulnerability poses a significant risk, especially those relying on PHP-based web applications that incorporate PEAR pearweb components. Exploitation could lead to unauthorized access to sensitive data, including personal data protected under GDPR, resulting in legal and financial repercussions. The integrity of data could be compromised, affecting business operations and trustworthiness of services. Availability could also be impacted if attackers delete or alter critical database records. Sectors such as finance, healthcare, government, and critical infrastructure that often use PHP frameworks for web services are particularly vulnerable. The unauthenticated nature of the exploit increases the attack surface, allowing attackers to target systems remotely without prior access. This could facilitate lateral movement or serve as an entry point for more complex attacks. The absence of known exploits in the wild currently provides a window for proactive mitigation, but the critical severity demands immediate attention.

European organizations should immediately upgrade all pearweb instances to version 1.33.0 or later to apply the official patch. In addition to patching, implement strict input validation and sanitization on all user-supplied data, especially parameters used in SQL queries. Employ parameterized queries or prepared statements to prevent injection attacks. Conduct thorough code reviews and security testing focusing on SQL injection vectors. Monitor web server and database logs for unusual query patterns or repeated access attempts to the /get/<package>/<version> endpoint. Deploy Web Application Firewalls (WAFs) with rules designed to detect and block SQL injection attempts targeting pearweb endpoints. Educate development and operations teams about secure coding practices and the importance of timely patch management. Finally, maintain an inventory of all PHP components and dependencies to quickly identify and remediate vulnerable versions.