CVE-2026-25241 is a critical SQL injection vulnerability identified in the PEAR pearweb framework, a PHP-based system used for distributing reusable components. The flaw exists in the /get/<package>/<version> endpoint, where the 'version' parameter is improperly sanitized, allowing an attacker to inject malicious SQL commands. Because the vulnerability is unauthenticated and requires no user interaction, remote attackers can exploit it to execute arbitrary SQL queries against the backend database. This can lead to unauthorized data disclosure, data manipulation, or even complete system compromise depending on the database privileges. The vulnerability affects all pearweb versions prior to 1.33.0, with the vendor having released a patch in version 1.33.0 to address the issue. The CVSS 4.0 base score of 9.3 reflects the vulnerability's critical nature, highlighting its network attack vector, low complexity, no privileges required, and no user interaction needed. Although no public exploits have been reported yet, the vulnerability's characteristics make it a prime target for attackers seeking to compromise PHP-based infrastructure. The vulnerability falls under CWE-89, which covers improper neutralization of special elements in SQL commands, a common and dangerous web application security flaw. Organizations using pearweb for package management or development should prioritize patching and monitoring for suspicious activity related to this endpoint.

For European organizations, this vulnerability presents a significant risk to the confidentiality, integrity, and availability of their systems. Exploitation could lead to unauthorized access to sensitive data stored in databases, including intellectual property, user credentials, or internal configuration data. Attackers could manipulate or delete data, disrupt services, or leverage the compromised system as a foothold for further network intrusion. Given the unauthenticated nature of the exploit, attackers can target exposed pearweb instances directly over the internet, increasing the attack surface. Organizations involved in software development, package distribution, or those relying on PHP-based infrastructure are particularly vulnerable. The impact extends to regulatory compliance risks under GDPR if personal data is exposed or altered. Additionally, disruption of development workflows or package management services could have operational consequences. The lack of known exploits in the wild currently provides a window for proactive mitigation, but the critical severity demands immediate attention to prevent potential future attacks.

1. Immediately upgrade all pearweb instances to version 1.33.0 or later, where the vulnerability is patched. 2. Implement strict input validation and sanitization on all user-supplied parameters, especially those used in SQL queries. 3. Deploy Web Application Firewalls (WAFs) with rules specifically designed to detect and block SQL injection payloads targeting the /get/<package>/<version> endpoint. 4. Conduct thorough code reviews and security testing on custom PHP components interacting with pearweb to identify any similar injection flaws. 5. Restrict network exposure of pearweb services to trusted internal networks or VPNs where possible to reduce external attack vectors. 6. Monitor logs and network traffic for unusual or suspicious requests targeting the vulnerable endpoint. 7. Educate development and operations teams about the risks of SQL injection and secure coding practices. 8. Regularly audit and update all third-party components and dependencies to ensure timely application of security patches.