Medium severity6.1NVD Advisory· Published Jul 3, 2016· Updated May 6, 2026

CVE-2016-5732

Description

Multiple cross-site scripting (XSS) vulnerabilities in the partition-range implementation in templates/table/structure/display_partitions.phtml in the table-structure page in phpMyAdmin 4.6.x before 4.6.3 allow remote attackers to inject arbitrary web script or HTML via crafted table parameters.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Multiple XSS vulnerabilities in phpMyAdmin 4.6.x before 4.6.3 allow remote attackers to inject arbitrary web script via crafted table parameters on the table-structure page.

Vulnerability

The partition-range implementation in templates/table/structure/display_partitions.phtml of phpMyAdmin 4.6.x before 4.6.3 contains multiple cross-site scripting (XSS) vulnerabilities. An attacker can inject arbitrary web script or HTML via specially crafted table parameters on the table-structure page. All 4.6.x versions prior to 4.6.3 are affected [1][2].

Exploitation

An attacker requires access to the phpMyAdmin interface as an authenticated user (or the ability to trick an authenticated user into visiting a malicious link). By crafting table parameters (e.g., partition range values), the attacker can inject malicious scripts that execute in the context of the victim's session when the table-structure page is rendered.

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the victim's browser, potentially leading to session hijacking, defacement, or theft of sensitive data displayed on the page. The attack is limited to the permissions of the victim user within phpMyAdmin.

Mitigation

The vulnerability is fixed in phpMyAdmin 4.6.3. Users should upgrade to 4.6.3 or later. Alternatively, the patches from commits 0815af3 and 792cd12 can be applied [2]. No workarounds are available; upgrading is the recommended action.

References

AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
phpmyadmin/phpmyadminPackagist	>= 4.6.0, < 4.6.3	4.6.3

Affected products

PhpMyAdmin/phpMyAdmin7 versions
cpe:2.3:a:phpmyadmin:phpmyadmin:4.6.0:*:*:*:*:*:*:*+ 6 more
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.6.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.6.0:alpha1:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.6.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.6.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.6.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.6.2:*:*:*:*:*:*:*
- (no CPE)range: <4.6.3
ghsa-coords2 versions
pkg:composer/phpmyadmin/phpmyadmin pkg:rpm/opensuse/phpMyAdmin&distro=openSUSE%20Tumbleweed
>= 4.6.0, < 4.6.3+ 1 more
- (no CPE)range: >= 4.6.0, < 4.6.3
- (no CPE)range: < 4.6.5.2-1.1

Patches

792cd1262f01

Escape partition comment when displaying

https://github.com/phpmyadmin/phpmyadminMichal ČihařJun 22, 2016via ghsa

commit

1 file changed · +1 −1

templates/table/structure/display_partitions.phtml+1 −1 modified

@@ -74,7 +74,7 @@ use PMA\libraries\Util; ?>
                             <span><?= $value; ?></span>
                             <span class="unit"><?= $unit; ?></span>
                         </td>
-                        <td><?= $partition->getComment(); ?></td>
+                        <td><?= htmlspecialchars($partition->getComment()); ?></td>
                         <?php foreach ($actionIcons as $action => $icon): ?>
                             <td>
                                 <a  href="tbl_structure.php<?= $url_query; ?>&amp;partition_maintenance=1&amp;sql_query=<?= urlencode(

0815af37f483

Add missing escaping to partition listing

https://github.com/phpmyadmin/phpmyadminMichal ČihařJun 17, 2016via ghsa

commit

1 file changed · +3 −3

templates/table/structure/display_partitions.phtml+3 −3 modified

@@ -10,12 +10,12 @@ use PMA\libraries\Util; ?>
         <?php else: ?>
             <p>
                 <?= __('Partitioned by:');?>
-                <code><?= $partitionMethod , '(' , $partitionExpression , ' )'; ?></code>
+                <code><?= htmlspecialchars($partitionMethod) , '(' , htmlspecialchars($partitionExpression) , ' )'; ?></code>
             </p>
             <?php if ($hasSubPartitions): ?>
                 <p>
                     <?= __('Sub partitioned by:'); ?>
-                    <code><?= $subPartitionMethod , '(' , $subPartitionExpression , ' )'; ?></code>
+                    <code><?= htmlspecialchars($subPartitionMethod) , '(' , htmlspecialchars($subPartitionExpression) , ' )'; ?></code>
                 <p>
             <?php endif; ?>
             <table>
@@ -139,4 +139,4 @@ use PMA\libraries\Util; ?>
             <?php endif; ?>
         </form>
     </fieldset>
-</div>
\ No newline at end of file
+</div>

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/phpmyadmin/phpmyadmin/commit/0815af37f483f329f0c0565d68821fea9c47b5f5nvdPatchWEB
github.com/phpmyadmin/phpmyadmin/commit/792cd1262f012b9b13639519d414f2acaeb5e972nvdPatchWEB
www.phpmyadmin.net/security/PMASA-2016-25/nvdPatchVendor Advisory
github.com/advisories/GHSA-3q28-xfw3-2q35ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2016-5732ghsaADVISORY
security.gentoo.org/glsa/201701-32nvdWEB
www.phpmyadmin.net/security/PMASA-2016-25ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.397
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000