CVE-2026-25236

Discovered by AISLEPUBLISHEDCWE-89

Description

PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, a SQL injection risk exists in karma queries due to unsafe literal substitution for an IN (...) list. This issue has been patched in version 1.33.0.

CVSS Base Scores

CVSS v4.06.9

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Affected Products

Vendor	Product	Version	Status
pear	pearweb	< 1.33.0	affected

References

https://github.com/pear/pearweb/security/advisories/GHSA-95mc-p966-c29f