CVE-2026-3057 identifies a SQL injection vulnerability in the pearProjectApi product developed by a54552239, affecting all versions from 2.8.0 through 2.8.10. The vulnerability resides in the dateTotalForProject function located in application/common/Model/Task.php, part of the Backend Interface component. The issue arises due to improper sanitization or validation of the projectCode parameter, which is directly used in SQL queries. This allows an attacker to inject malicious SQL code remotely without requiring authentication or user interaction. Exploitation can lead to unauthorized data access, modification, or deletion within the backend database, potentially compromising confidentiality, integrity, and availability. The vulnerability has a CVSS 4.0 base score of 5.3, reflecting medium severity, with an attack vector of network and low attack complexity. The vendor was notified early but has not issued any patches or advisories, and a public exploit has been released, increasing the risk of exploitation. No known active exploitation campaigns have been reported yet. This vulnerability is critical for organizations relying on pearProjectApi for project management or related backend services, as it exposes sensitive data and backend systems to remote attackers.

The SQL injection vulnerability in pearProjectApi can have significant impacts on organizations worldwide using this software. Successful exploitation can lead to unauthorized disclosure of sensitive project data, modification or deletion of records, and potential disruption of backend services. This compromises the confidentiality, integrity, and availability of critical business information. Attackers could leverage this vulnerability to escalate privileges, pivot within internal networks, or conduct further attacks such as ransomware deployment. The lack of vendor response and absence of official patches increase the risk of exploitation. Organizations may face data breaches, regulatory compliance violations, operational downtime, and reputational damage. The medium severity score indicates a moderate but tangible risk that requires timely remediation to prevent exploitation, especially given the availability of a public exploit.

1. Immediate mitigation should include implementing input validation and sanitization on the projectCode parameter at the application level to prevent SQL injection. 2. Employ Web Application Firewalls (WAFs) with custom rules to detect and block malicious SQL injection payloads targeting the vulnerable endpoint. 3. Restrict database user privileges used by pearProjectApi to the minimum necessary, limiting the impact of any successful injection. 4. Monitor application logs and network traffic for unusual queries or access patterns indicative of exploitation attempts. 5. If possible, isolate the affected backend interface from public networks or restrict access via VPN or IP whitelisting. 6. Engage in code review and refactor the vulnerable function to use parameterized queries or prepared statements to eliminate injection risk. 7. Since no official patch is available, consider upgrading to a future patched version once released or applying community-developed patches cautiously. 8. Conduct penetration testing and vulnerability scanning to confirm mitigation effectiveness. 9. Maintain regular backups of critical data to enable recovery in case of compromise. 10. Stay informed on vendor updates or security advisories regarding this vulnerability.