CVE-2026-3057

Vulnerability

Overview

CVE-2026-3057 describes a SQL injection vulnerability in the pearProjectApi backend, affecting versions up to 2.8.10. The flaw resides in the dateTotalForProject function within application/common/Model/Task.php. The projectCode parameter is taken directly from user input without sanitization or parameterization, and is concatenated into SQL queries [1][2]. This allows an attacker to inject arbitrary SQL commands.

Exploitation

The attack is remotely exploitable via HTTP POST requests to /index.php/project/Task/dateTotalForProject. The projectCode parameter is passed unsanitized from the controller (application/project/controller/Task.php) to the model method [1][2]. Proof-of-concept data shows that a simple injection like 1* can be used with tools like sqlmap to extract database information [1][2]. The vendor did not respond to disclosure, and public exploit code has been released.

Impact

Successful exploitation allows an attacker to read, modify, or delete arbitrary data from the database, potentially compromising all project information, user credentials, and other sensitive data stored by the application. Because the injection occurs in a backend interface that may be exposed to the internet, the impact can be severe despite the medium CVSS score.

Mitigation

As of the publication date, no patch has been released by the vendor. Users of pearProjectApi should consider disabling the affected endpoint or implementing input validation and prepared statements. Given the public availability of exploit code, immediate action is recommended.