CVE-2020-22452
Description
SQL Injection vulnerability in function getTableCreationQuery in CreateAddField.php in phpMyAdmin 5.x before 5.2.0 via the tbl_storage_engine or tbl_collation parameters to tbl_create.php.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SQL injection vulnerability in phpMyAdmin 5.x before 5.2.0 allows attackers to execute arbitrary SQL via crafted tbl_storage_engine or tbl_collation parameters.
Vulnerability
Description
CVE-2020-22452 is a SQL injection vulnerability in phpMyAdmin versions 5.x prior to 5.2.0. The flaw resides in the getTableCreationQuery function within CreateAddField.php. The parameters tbl_storage_engine and tbl_collation are not properly sanitized before being incorporated into SQL queries, allowing an attacker to inject malicious SQL code [1][4].
Exploitation
An authenticated attacker can exploit this vulnerability by sending a crafted HTTP request to tbl_create.php with manipulated values in the tbl_storage_engine or tbl_collation parameters. The attack requires valid credentials for the phpMyAdmin interface and access to the table creation functionality. The issue was reported in GitHub issue #15898, which includes steps to reproduce the injection [4].
Impact
Successful exploitation enables an attacker to execute arbitrary SQL commands on the underlying database server. This could lead to unauthorized data access, data modification, or complete compromise of the database, depending on the privileges of the phpMyAdmin user [1].
Mitigation
The vulnerability is patched in phpMyAdmin version 5.2.0. Users are strongly advised to upgrade to this version or later. The fix was implemented in pull request #16004, which properly escapes the vulnerable parameters [3]. No workaround is available for affected versions.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
phpmyadmin/phpmyadminPackagist | >= 5.0.0, < 5.0.2 | 5.0.2 |
Affected products
3- phpMyAdmin/phpMyAdmindescription
- osv-coords2 versions
>= 5.0.0, < 5.2.0+ 1 more
- (no CPE)range: >= 5.0.0, < 5.2.0
- (no CPE)range: >= 5.0.0, < 5.0.2
Patches
1bc982466f08dAdd ChangeLog entry for #15898
1 file changed · +1 −0
ChangeLog+1 −0 modified@@ -61,6 +61,7 @@ phpMyAdmin - ChangeLog - issue #16022 Fix uncaught TypeError on browse foreigners - issue Fix failure if relational display field value is NULL - "Display column for relationships" - issue #16033 Remove vendor bin files from non source version of phpMyAdmin +- issue #15898 [security] Fix escape tbl_storage_engine argument used on tbl_create.php 5.0.1 (2020-01-07) - issue #15719 Fixed error 500 when browsing a table when $cfg['LimitChars'] used a string and not an int value
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-prcg-mc23-hgjhghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-22452ghsaADVISORY
- github.com/phpmyadmin/phpmyadmin/commit/bc982466f08ddccad4804ba928f84ff8e25107cbghsaWEB
- github.com/phpmyadmin/phpmyadmin/issues/15898ghsaWEB
- github.com/phpmyadmin/phpmyadmin/pull/16004ghsaWEB
- phpmyadmin.commitre
- github.com/phpmyadmin/phpmyadmin/blob/master/ChangeLogmitre
News mentions
0No linked articles in our index yet.