Primary

Context

PEAR SQL Injection Vulnerability in Package Version Endpoint

Vulnerability

Patched

A critical unauthenticated SQL injection vulnerability has been identified in PEAR versions prior to 1.33.0. The issue resides in the '/get/<package>/<version>' endpoint, where remote attackers can execute arbitrary SQL by crafting a specific package version. This vulnerability arises because user input is directly interpolated into SQL queries without proper parameterization, allowing for SQL injection through the version path segment.

Impact

Exploitation of this vulnerability allows for unauthenticated remote SQL injection, enabling attackers to execute arbitrary SQL commands on the database.

Remediation

Users can upgrade to PEAR version 1.33.0 or later to address this vulnerability.

Added: Feb 3, 2026, 7:30 PM

Updated: Feb 3, 2026, 7:30 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

3.1

exploitability

7.4

remediation

0.0

relevance

2.5

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

3.1

exploitability

7.4

remediation

0.0

relevance

2.5

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

PEAR SQL Injection Vulnerability in Package Version Endpoint

Vulnerability

Impact

Remediation

Affected Products

PEAR

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating