Unrated severityOSV Advisory· Published Feb 3, 2026· Updated Feb 4, 2026
PEAR is Vulnerable to SQL Injection in Damblan_Karma IN() Query via Literal Substitution
CVE-2026-25236
Description
PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, a SQL injection risk exists in karma queries due to unsafe literal substitution for an IN (...) list. This issue has been patched in version 1.33.0.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1- github.com/pear/pearweb/security/advisories/GHSA-95mc-p966-c29fmitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.