CVE-2016-2040
Description
Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.0.x before 4.0.10.13, 4.4.x before 4.4.15.3, and 4.5.x before 4.5.4 allow remote authenticated users to inject arbitrary web script or HTML via a (1) table name, (2) SET value, (3) search query, or (4) hostname in a Location header.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Multiple stored XSS vulnerabilities in phpMyAdmin allow authenticated users to inject arbitrary web script via crafted table names, SET values, search queries, or hostname headers.
Vulnerability
Multiple cross-site scripting (XSS) vulnerabilities exist in phpMyAdmin versions 4.0.x before 4.0.10.13, 4.4.x before 4.4.15.3, and 4.5.x before 4.5.4 [1][3]. The vulnerabilities occur in the database search page (via crafted table name), the zoom search page (via crafted SET value or search query), and the home page (via crafted hostname in the Location header) [3]. The input is not properly escaped before being rendered in the browser.
Exploitation
An attacker must be an authenticated user of phpMyAdmin [3]. The attacker can craft a malicious table name, SET value, search query, or hostname header. For example, creating a table with a name containing JavaScript payload will trigger XSS when the database search page is accessed. Similarly, a crafted SET value or search query in the zoom search page, or a malicious hostname header sent to the home page, will execute the injected script [3].
Impact
Successful exploitation allows the attacker to inject arbitrary web script or HTML in the context of the phpMyAdmin session [1]. This can lead to session hijacking, defacement, or theft of sensitive information displayed in the interface. The impact is limited to authenticated users, but an attacker with low privileges can potentially escalate to higher privileges or access other users' data.
Mitigation
Upgrade to phpMyAdmin 4.0.10.13, 4.4.15.3, or 4.5.4 or later [3]. Patches are available in the GitHub repository [2]. No workaround is provided; upgrading is the recommended solution. The vulnerabilities are not listed in CISA's Known Exploited Vulnerabilities catalog.
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
phpmyadmin/phpmyadminPackagist | >= 4.0, < 4.0.10.13 | 4.0.10.13 |
phpmyadmin/phpmyadminPackagist | >= 4.4, < 4.4.15.3 | 4.4.15.3 |
phpmyadmin/phpmyadminPackagist | >= 4.5, < 4.5.4 | 4.5.4 |
Affected products
53cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.0:*:*:*:*:*:*:*+ 45 more
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.0:rc3:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.10:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.11:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.12:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.2:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.3:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.4:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.5:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.6:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.7:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.8:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.9:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.10:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.11:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.12:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.13:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.13.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.14.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.15:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.15.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.15.2:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.15.3:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.2:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.3:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.4:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.5:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.6:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.6.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.7:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.8:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.9:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.2:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.3:*:*:*:*:*:*:*
- (no CPE)range: <=4.5.3
cpe:2.3:o:fedoraproject:fedora:22:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:o:fedoraproject:fedora:22:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:23:*:*:*:*:*:*:*
- ghsa-coords2 versions
>= 4.0, < 4.0.10.13+ 1 more
- (no CPE)range: >= 4.0, < 4.0.10.13
- (no CPE)range: < 4.6.5.2-1.1
Patches
3aca42efa0191Escape javascript variable content
1 file changed · +2 −2
templates/header_location.phtml+2 −2 modified@@ -25,8 +25,8 @@ $uri = isset($uri) ? $uri : null; <body> <script type="text/javascript"> //<![CDATA[ - document.write('<p><a href="<?php echo htmlspecialchars($uri) ?>"><?php echo __('Go') ?></a></p>'); + document.write('<p><a href="<?php echo PMA_escapeJsString(htmlspecialchars($uri)) ?>"><?php echo __('Go') ?></a></p>'); //]]> </script> </body> -</html> \ No newline at end of file +</html>
75a558240124Fix XSS in DB_search.php
1 file changed · +2 −1
libraries/DbSearch.class.php+2 −1 modified@@ -344,7 +344,8 @@ private function _getResultsRow($each_table, $newsearchsqls, $odd_row, $res_cnt) $browse_result_path = 'sql.php' . PMA_URL_getCommon($this_url_params); $html_output .= '<td><a name="browse_search" class="ajax" href="' . $browse_result_path . '" onclick="loadResult(\'' - . $browse_result_path . '\',\'' . $each_table . '\',\'' + . $browse_result_path . '\',\'' + . PMA_escapeJsString(htmlspecialchars($each_table)) . '\',\'' . PMA_URL_getCommon( array( 'db' => $GLOBALS['db'], 'table' => $each_table
edffb52884b0Fix XSS in zoom search
1 file changed · +2 −2
templates/table/search/rows_zoom.phtml+2 −2 modified@@ -56,7 +56,7 @@ for ($i = 0; $i < 4; $i++): ?> } ?> <!-- Column type --> <td dir="ltr"> - <?php echo (isset($type[$i]) ? $type[$i] : ''); ?> + <?php echo (isset($type[$i]) ? htmlspecialchars($type[$i]) : ''); ?> </td> <!-- Column Collation --> <td> @@ -68,7 +68,7 @@ for ($i = 0; $i < 4; $i++): ?> </td> <!-- Inputbox for search criteria value --> <td> - <?php echo (isset($value[$i]) ? $value[$i] : ''); ?> + <?php echo (isset($value[$i]) ? htmlspecialchars($value[$i]) : ''); ?> </td> </tr> <!-- Displays hidden fields -->
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
11- www.phpmyadmin.net/home_page/security/PMASA-2016-3.phpnvdPatchVendor AdvisoryWEB
- github.com/phpmyadmin/phpmyadmin/commit/75a55824012406a08c4debf5ddb7ae41c32a7dbcnvdPatchWEB
- github.com/phpmyadmin/phpmyadmin/commit/aca42efa01917cc0fe8cfdb2927a6399ca1742f2nvdPatchWEB
- github.com/phpmyadmin/phpmyadmin/commit/edffb52884b09562490081c3b8666ef46c296418nvdPatchWEB
- lists.fedoraproject.org/pipermail/package-announce/2016-February/176483.htmlnvdThird Party AdvisoryWEB
- lists.fedoraproject.org/pipermail/package-announce/2016-February/176739.htmlnvdThird Party AdvisoryWEB
- lists.opensuse.org/opensuse-updates/2016-02/msg00028.htmlnvdThird Party AdvisoryWEB
- lists.opensuse.org/opensuse-updates/2016-02/msg00049.htmlnvdThird Party AdvisoryWEB
- github.com/advisories/GHSA-pw34-qf6c-84fcghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2016-2040ghsaADVISORY
- www.debian.org/security/2016/dsa-3627nvdWEB
News mentions
0No linked articles in our index yet.