CVE-2004-2630
Description
phpMyAdmin versions 2.5.0 to 2.6.0-pl1 contain a remote command execution vulnerability via shell metacharacters in the MIME transformation system.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
phpMyAdmin versions 2.5.0 to 2.6.0-pl1 contain a remote command execution vulnerability via shell metacharacters in the MIME transformation system.
Vulnerability
The vulnerability resides in the MIME transformation system, specifically in the file transformations/text_plain__external.inc.php. Affected are phpMyAdmin versions from 2.5.0 up to 2.6.0-pl1. The issue allows attackers to inject shell metacharacters through unspecified vectors, leading to arbitrary command execution when PHP's "safe mode" is disabled [1][3].
Exploitation
An attacker must have access to a phpMyAdmin instance with the MIME-based transformation system enabled for external transformations. No authentication is explicitly required by the vulnerability description; an attacker can send crafted input containing shell metacharacters. The exploitability depends on PHP's "safe mode" being turned off [1][3].
Impact
Successful exploitation allows a remote attacker to execute arbitrary operating system commands on the server. This can lead to full compromise of the database server and potentially the underlying host, depending on the privileges of the web server process [3][4].
Mitigation
The vulnerability is fixed in phpMyAdmin version 2.6.0_p2 (Gentoo package version) and later. Users should upgrade to 2.6.0-pl2 or newer. There is no known workaround if upgrading is not possible; disabling external transformations may reduce risk but is not a complete fix. The issue is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog [3][4].
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
16cpe:2.3:a:phpmyadmin:phpmyadmin:2.5.0:*:*:*:*:*:*:*+ 15 more
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.5.2:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.5.2_pl1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.5.3:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.5.4:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.5.5:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.5.5_pl1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.5.5_rc1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.5.5_rc2:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.5.6_rc1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.5.6_rc2:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.5.7:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.5.7_pl1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.6.0_pl1:*:*:*:*:*:*:*
- (no CPE)range: 2.5.0 - 2.6.0-pl1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
10- secunia.com/advisories/12813nvdPatch
- secunia.com/advisories/12859nvdPatchVendor Advisory
- securitytracker.com/alerts/2004/Oct/1011761.htmlnvdPatch
- www.gentoo.org/security/en/glsa/glsa-200410-14.xmlnvdPatch
- www.phpmyadmin.net/home_page/security.phpnvdPatch
- www.securityfocus.com/bid/11391nvdPatch
- marc.infonvd
- marc.infonvd
- www.osvdb.org/10715nvd
- exchange.xforce.ibmcloud.com/vulnerabilities/17698nvd
News mentions
0No linked articles in our index yet.