Primary

Context

PEAR SQL Injection Vulnerability in Category Deletion

Vulnerability

A SQL injection vulnerability has been identified in PEAR versions prior to 1.33.0. This issue allows an attacker with access to the category manager workflow to inject SQL through a category ID during the category deletion process. The vulnerability arises because the deletion query in 'include/pear-database-category.php' uses the category ID directly in SQL without proper parameterization. Additionally, 'public_html/admin/category-manager.php' handles requests that can pass a parent or category ID from POST to the deletion logic.

Impact

Exploitation of this vulnerability allows for SQL injection, where an attacker can manipulate SQL queries to the database. This could lead to unauthorized data access, data manipulation, or in some cases, executing administrative operations on the database.

Remediation

Users can upgrade to PEAR version 1.33.0 or later to address this vulnerability.

Added: Feb 3, 2026, 7:34 PM

Updated: Feb 3, 2026, 7:34 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

3.1

exploitability

5.2

remediation

0.0

relevance

2.5

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

3.1

exploitability

5.2

remediation

0.0

relevance

2.5

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

PEAR SQL Injection Vulnerability in Category Deletion

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating