CVE-2020-26934
Description
phpMyAdmin before 4.9.6 and 5.x before 5.0.3 allows XSS through the transformation feature via a crafted link.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
phpMyAdmin before 4.9.6 and 5.0.x before 5.0.3 allows XSS via crafted links in the transformation feature.
Vulnerability
CVE-2020-26934 is a cross-site scripting (XSS) vulnerability in phpMyAdmin's transformation feature. The flaw exists because user-supplied input is not properly sanitized before being processed by the transformation functionality, allowing an attacker to inject arbitrary JavaScript. This vulnerability was introduced in phpMyAdmin 2.5.0 and affects all versions prior to 4.9.6 and 5.0.x prior to 5.0.3 [1][4].
Exploitation
An attacker can exploit this vulnerability by crafting a malicious link that, when clicked by an authenticated phpMyAdmin user, triggers the XSS payload. The attack does not require any special privileges beyond the victim being logged into phpMyAdmin. The crafted link leverages the transformation feature to execute the injected script in the context of the victim's session [4].
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the victim's browser. This can lead to session hijacking, theft of sensitive data (such as database credentials displayed in the interface), or unauthorized actions performed on behalf of the victim within phpMyAdmin [1][4].
Mitigation
The vulnerability is fixed in phpMyAdmin versions 4.9.6 and 5.0.3. Users are advised to upgrade immediately or apply the patch referenced in the official advisory [4]. OpenSUSE also released a security update for affected packages [1].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
phpmyadmin/phpmyadminPackagist | >= 4.9.0, < 4.9.6 | 4.9.6 |
phpmyadmin/phpmyadminPackagist | >= 5.0.0, < 5.0.3 | 5.0.3 |
Affected products
9- phpMyAdmin/phpMyAdmindescription
- osv-coords8 versionspkg:bitnami/phpmyadminpkg:composer/phpmyadmin/phpmyadminpkg:rpm/opensuse/phpMyAdmin&distro=openSUSE%20Leap%2015.1pkg:rpm/opensuse/phpMyAdmin&distro=openSUSE%20Leap%2015.2pkg:rpm/suse/phpMyAdmin&distro=SUSE%20Package%20Hub%2012pkg:rpm/suse/phpMyAdmin&distro=SUSE%20Package%20Hub%2015pkg:rpm/suse/phpMyAdmin&distro=SUSE%20Package%20Hub%2015%20SP1pkg:rpm/suse/phpMyAdmin&distro=SUSE%20Package%20Hub%2015%20SP2
>= 4.9.0, < 4.9.6+ 7 more
- (no CPE)range: >= 4.9.0, < 4.9.6
- (no CPE)range: >= 4.9.0, < 4.9.6
- (no CPE)range: < 4.9.6-bp152.2.3.1
- (no CPE)range: < 4.9.6-bp152.2.3.1
- (no CPE)range: < 4.9.6-bp152.2.3.1
- (no CPE)range: < 4.9.7-bp151.3.24.1
- (no CPE)range: < 4.9.6-bp152.2.3.1
- (no CPE)range: < 4.9.6-bp152.2.3.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
18- lists.opensuse.org/opensuse-security-announce/2020-10/msg00027.htmlghsavendor-advisoryx_refsource_SUSEWEB
- lists.opensuse.org/opensuse-security-announce/2020-11/msg00005.htmlghsavendor-advisoryx_refsource_SUSEWEB
- github.com/advisories/GHSA-6349-53vr-7hcrghsaADVISORY
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FHST4E5IJG7IKZTTW3R6MEZPVHJZ472K/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PXK37YEHSDYCIPQSYEMN2OFTP2ZLM7DO/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TNLGHVDNAEZEGRTUESSSQFM7MZTHIDQ5/mitrevendor-advisoryx_refsource_FEDORA
- nvd.nist.gov/vuln/detail/CVE-2020-26934ghsaADVISORY
- security.gentoo.org/glsa/202101-35ghsavendor-advisoryx_refsource_GENTOOWEB
- github.com/FriendsOfPHP/security-advisories/blob/master/phpmyadmin/phpmyadmin/CVE-2020-26934.yamlghsaWEB
- lists.debian.org/debian-lts-announce/2020/10/msg00024.htmlghsamailing-listx_refsource_MLISTWEB
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FHST4E5IJG7IKZTTW3R6MEZPVHJZ472KghsaWEB
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PXK37YEHSDYCIPQSYEMN2OFTP2ZLM7DOghsaWEB
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TNLGHVDNAEZEGRTUESSSQFM7MZTHIDQ5ghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FHST4E5IJG7IKZTTW3R6MEZPVHJZ472KghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PXK37YEHSDYCIPQSYEMN2OFTP2ZLM7DOghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TNLGHVDNAEZEGRTUESSSQFM7MZTHIDQ5ghsaWEB
- www.phpmyadmin.net/security/PMASA-2020-5ghsaWEB
- www.phpmyadmin.net/security/PMASA-2020-5/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.