Medium severity5.4NVD Advisory· Published Mar 1, 2016· Updated May 6, 2026

CVE-2016-2561

Description

Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.4.x before 4.4.15.5 and 4.5.x before 4.5.5.1 allow remote authenticated users to inject arbitrary web script or HTML via (1) normalization.php or (2) js/normalization.js in the database normalization page, (3) templates/database/structure/sortable_header.phtml in the database structure page, or (4) the pos parameter to db_central_columns.php in the central columns page.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Authenticated XSS vulnerabilities in phpMyAdmin 4.4.x before 4.4.15.5 and 4.5.x before 4.5.5.1 via normalization, database structure, and central columns pages.

Vulnerability

Multiple reflected cross-site scripting (XSS) vulnerabilities exist in phpMyAdmin versions 4.4.x prior to 4.4.15.5 and 4.5.x prior to 4.5.5.1 [1][2]. The flaws reside in the database normalization page (via normalization.php and js/normalization.js), the database structure page (via templates/database/structure/sortable_header.phtml), and the central columns page (via the pos parameter to db_central_columns.php) [2][3][4]. An authenticated user can inject arbitrary web script or HTML by crafting table/column names or parameters that are not properly sanitized before being reflected in the page output.

Exploitation

An attacker must be a logged-in user of phpMyAdmin, as the usual token protection prevents unauthenticated access to the affected pages [2]. On the database normalization page, a crafted table or column name can trigger XSS when the normalization process reflects it. On the database structure page, a crafted tbl_type or tbl_group parameter (such as view or table) can inject script via the sortable header. On the central columns page, a crafted pos parameter to db_central_columns.php can inject script. The attacker does not need special privileges beyond normal user access to the phpMyAdmin interface [2][3][4].

Impact

A successful attack allows the authenticated attacker to execute arbitrary JavaScript in the context of the victim's browser session. This can lead to session hijacking, defacement of the phpMyAdmin interface, or theft of sensitive information displayed on the page [2]. The scope of compromise is limited to the authenticated user's session and the data accessible through phpMyAdmin.

Mitigation

Fix available: upgrade to phpMyAdmin 4.4.15.5 or 4.5.5.1, released on 2016-02-25 [2]. Alternatively, apply the relevant patches from the git commits: 90df124797175688a63be0d0a311210e92f09895 (4.4 branch) or commits 983faa94f161df3623ecd371d3696a1b3f91c15f, 746240bd13b62b5956fc34389cfbdc09e1e67775, f33a42f1da9db943a67bda7d29f7dd91957a8e7e, 37c34d089aa19f30d11203bb0c7f85b486424372, bcd4ce8cba1272fca52f2331c08f2e3ac19cbbef, and cc55f44a4a90147a007dee1aefa1cb529e23798b (4.5 branch) [1][3][4]. No workaround is documented; updating is the recommended mitigation. This CVE is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog.

References

AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

PhpMyAdmin/phpMyAdmin38 versions
cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.0:*:*:*:*:*:*:*+ 37 more
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.10:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.11:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.12:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.13:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.13.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.14:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.14.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.15:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.15.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.15.2:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.15.3:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.15.4:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.2:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.3:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.4:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.5:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.6:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.6.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.7:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.8:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.9:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.0:beta1:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.0:beta2:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.2:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.3:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.4:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.4.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.5:*:*:*:*:*:*:*
- (no CPE)range: <4.4.15.5, <4.5.5.1
osv-coords
pkg:rpm/opensuse/phpMyAdmin&distro=openSUSE%20Tumbleweed
Range: < 4.6.5.2-1.1

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

News mentions

No linked articles in our index yet.

cvss	0.351
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000