CVE-2016-2559
Description
Cross-site scripting (XSS) vulnerability in the format function in libraries/sql-parser/src/Utils/Error.php in the SQL parser in phpMyAdmin 4.5.x before 4.5.5.1 allows remote authenticated users to inject arbitrary web script or HTML via a crafted query.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
XSS vulnerability in phpMyAdmin SQL parser allows authenticated users to inject arbitrary HTML/JavaScript via crafted queries.
Vulnerability
A cross-site scripting (XSS) vulnerability exists in the format function in libraries/sql-parser/src/Utils/Error.php of the SQL parser in phpMyAdmin. Versions 4.5.x prior to 4.5.5.1 are affected [1][4]. The flaw occurs when a crafted SQL query is processed, leading to improper escaping of user input.
Exploitation
An attacker must be an authenticated user of phpMyAdmin. The attacker can trigger the vulnerability by submitting a specially crafted SQL query via the SQL query page. No additional privileges or user interaction beyond authentication are required [4].
Impact
Successful exploitation allows the attacker to inject arbitrary web script or HTML into the application context, leading to a stored or reflected XSS attack. This can result in session hijacking, credential theft, or other malicious actions within the victim's browser session [1].
Mitigation
The vulnerability is fixed in phpMyAdmin version 4.5.5.1, released on 2016-02-25. Users should upgrade to this version or later. Alternatively, the patch can be applied from commit 3a6a9a807d99371ee126635e1a505fc1fe0df32c [2][4]. No workarounds are documented.
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
phpmyadmin/phpmyadminPackagist | >= 4.5, < 4.5.5.1 | 4.5.5.1 |
Affected products
16cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.0:*:*:*:*:*:*:*+ 13 more
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.0:beta1:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.0:beta2:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.2:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.3:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.4:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.4.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.5:*:*:*:*:*:*:*
- (no CPE)range: >=4.5.0, <4.5.5.1
- ghsa-coords2 versions
>= 4.5, < 4.5.5.1+ 1 more
- (no CPE)range: >= 4.5, < 4.5.5.1
- (no CPE)range: < 4.6.5.2-1.1
Patches
13a6a9a807d99Escape query when displaying
1 file changed · +1 −1
libraries/sql-parser/src/Utils/Error.php+1 −1 modified@@ -90,7 +90,7 @@ public static function format( ++$i, $err[0], $err[1], - $err[2], + htmlspecialchars($err[2]), $err[3] ); }
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-7rf8-9r8f-qf59ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2016-2559ghsaADVISORY
- www.phpmyadmin.net/security/PMASA-2016-10/nvdVendor Advisory
- lists.fedoraproject.org/pipermail/package-announce/2016-March/178562.htmlnvdWEB
- lists.fedoraproject.org/pipermail/package-announce/2016-March/178869.htmlnvdWEB
- github.com/phpmyadmin/phpmyadmin/commit/3a6a9a807d99371ee126635e1a505fc1fe0df32cnvdWEB
- www.phpmyadmin.net/security/PMASA-2016-10ghsaWEB
News mentions
0No linked articles in our index yet.