Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.3
Pear Project API 2.8.10 SQL Injection Risk: Unsecured Project Data Exposed
CVE-2026-3057
Summary
Using a specific project code, an attacker can potentially inject malicious SQL code and access sensitive data in the Pear Project API version 2.8.10 and earlier. This could allow unauthorized access to information. Update to the latest version to mitigate this risk.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| a54552239 | pearprojectapi | <= 2.8.10 | – |
Original title
A security flaw has been discovered in a54552239 pearProjectApi up to 2.8.10. Affected is the function dateTotalForProject of the file application/common/Model/Task.php of the component Backend Int...
Original description
A security flaw has been discovered in a54552239 pearProjectApi up to 2.8.10. Affected is the function dateTotalForProject of the file application/common/Model/Task.php of the component Backend Interface. The manipulation of the argument projectCode results in sql injection. The attack can be launched remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
nvd CVSS2.0
6.5
nvd CVSS3.1
9.8
nvd CVSS4.0
5.3
Vulnerability type
CWE-74
Injection
CWE-89
SQL Injection
- https://github.com/XiaoyuZhou1997/CVE/issues/1 Exploit Issue Tracking Third Party Advisory
- https://github.com/XiaoyuZhou1997/CVE/issues/1#issue-3935708166 Exploit Issue Tracking Third Party Advisory
- https://vuldb.com/?ctiid.347413 Permissions Required VDB Entry
- https://vuldb.com/?id.347413 Third Party Advisory VDB Entry
- https://vuldb.com/?submit.757669 Third Party Advisory VDB Entry
Published: 24 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026