9 matches found
CVE-2026-25234
PEAR (PHP components framework) before version 1.33.0 is vulnerable to a SQL injection in the category deletion operation when an attacker can access the category manager workflow. The root cause is unsafely handling the category id in this workflow, enabling SQL injection. The issue has been fix...
CVE-2026-25235
CVE-2026-25235 affects PEAR (PHP components framework). Before version 1.33.0, predictable verification hashes could allow an attacker to guess verification tokens and potentially verify election account requests without authorization. The issue has been patched in version 1.33.0. Affected scope ...
CVE-2026-25239
CVE-2026-25239 affects PEAR prior to version 1.33.0, where a SQL injection vulnerability exists in the apidoc queue insertion that could allow query manipulation if an attacker can influence the inserted filename value. The issue has been patched in version 1.33.0. Connected sources (Red Hat, NVD...
CVE-2026-25238
PEAR framework: Vulnerable before version 1.33.0 due to SQL injection in bug subscription deletion via crafted email value. Root cause is weak email validation that permits SQL injection in the deletion flow. Impact is described as high for confidentiality, integrity, and availability. The issue ...
CVE-2026-25233
PEAR framework (PHP) is affected by a logic bug in the roadmap role check that allowed non-lead maintainers to create, update, or delete roadmaps. The issue is caused by an operator precedence/authorization flaw and has been patched in version 1.33.0. Red Hat/Ubuntu/NVD references describe the sa...
CVE-2026-25237
CVE-2026-25237 affects the PEAR framework. Prior to version 1.33.0, handling of bug update emails using preg_replace() with the /e modifier can lead to PHP code execution when attacker-controlled content is evaluated. The issue has been fixed in PEAR version 1.33.0. Based on connected documents, ...
CVE-2026-25241
PEAR (PHP) is affected by CVE-2026-25241. Prior to version 1.33.0, an unauthenticated SQL injection in the /get// endpoint allows remote attackers to inject and execute arbitrary SQL. The issue is mitigated by upgrading to version 1.33.0, where the vulnerability is patched. The available connecte...
CVE-2026-25236
CVE-2026-25236 affects the PEAR PHP framework. The vulnerability is a SQL injection risk in karma queries caused by unsafe literal substitution for an IN (...) list. Root cause: unsafe literal handling in Karma DAMBLAN-related queries prior to version 1.33.0. Impact: potential SQL injection. Miti...
CVE-2026-25240
CVE-2026-25240 affects PEAR prior to 1.33.0 where a SQL injection can occur in user::maintains() when role filters are provided as an array and interpolated into an IN (...) clause. The issue has been patched in version 1.33.0. No exploitation details are provided in the documents. If applicable,...