CVE-2026-3057

Summary

A security flaw has been discovered in a54552239 pearProjectApi up to 2.8.10. Affected is the function dateTotalForProject of the file application/common/Model/Task.php of the component Backend Interface. The manipulation of the argument projectCode results in sql injection. The attack can be launched remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

Affected Software

VendorProductVersion RangeStatus
a54552239pearProjectApi2.8.0affected
a54552239pearProjectApi2.8.1affected
a54552239pearProjectApi2.8.2affected
a54552239pearProjectApi2.8.3affected
a54552239pearProjectApi2.8.4affected
a54552239pearProjectApi2.8.5affected
a54552239pearProjectApi2.8.6affected
a54552239pearProjectApi2.8.7affected
a54552239pearProjectApi2.8.8affected
a54552239pearProjectApi2.8.9affected
a54552239pearProjectApi2.8.10affected

Weaknesses

  • CWE-89: SQL Injection
  • CWE-74: Injection

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: partial

References