Primary

Context

PEAR SQL Injection Vulnerability in User Role Filter

Vulnerability

Patched

A SQL injection vulnerability has been identified in PEAR versions prior to 1.33.0. The issue arises in the 'user::maintains()' function when role filters are supplied as an array and directly inserted into an 'IN (...)' clause without proper parameter binding. This flaw allows attackers to manipulate role strings and inject malicious SQL into the query.

Impact

Exploitation of this vulnerability allows for SQL injection, where an attacker can interfere with the application's database queries. This could lead to unauthorized data access, data manipulation, or in some cases, executing administrative operations on the database.

Remediation

Users can upgrade to PEAR version 1.33.0 or later to address this vulnerability.

Added: Feb 3, 2026, 7:31 PM

Updated: Feb 3, 2026, 7:31 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

3.1

exploitability

7.4

remediation

0.0

relevance

2.5

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

3.1

exploitability

7.4

remediation

0.0

relevance

2.5

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

PEAR SQL Injection Vulnerability in User Role Filter

Vulnerability

Impact

Remediation

Affected Products

PEAR

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating