CVE-2020-26935
Description
An issue was discovered in SearchController in phpMyAdmin before 4.9.6 and 5.x before 5.0.3. A SQL injection vulnerability was discovered in how phpMyAdmin processes SQL statements in the search feature. An attacker could use this flaw to inject malicious SQL in to a query.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SQL injection in phpMyAdmin's search feature allows authenticated attackers to execute arbitrary SQL queries.
Vulnerability
CVE-2020-26935 is a SQL injection vulnerability in phpMyAdmin's SearchController, affecting versions before 4.9.6 and 5.0.x before 5.0.3. The flaw arises from improper sanitization of SQL statements processed during search operations, enabling an attacker to inject malicious SQL into a query [1][4].
Exploitation
An attacker must be authenticated to the phpMyAdmin instance to exploit this vulnerability. By crafting a specially designed input within the search feature, the attacker can inject arbitrary SQL commands that are executed by the database backend [2][4]. No special network position is required beyond access to the phpMyAdmin web interface.
Impact
Successful exploitation allows the attacker to read, modify, or delete database contents, potentially compromising the entire database server. This could lead to data exfiltration, privilege escalation, or further attacks on the underlying system [1][4].
Mitigation
The vulnerability is fixed in phpMyAdmin 4.9.6 and 5.0.3. Users should upgrade immediately or apply the provided patch [4]. No workarounds are documented; upgrading is the recommended action.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
phpmyadmin/phpmyadminPackagist | >= 4.9.0, < 4.9.6 | 4.9.6 |
phpmyadmin/phpmyadminPackagist | >= 5.0.0, < 5.0.3 | 5.0.3 |
Affected products
9- phpMyAdmin/phpMyAdmindescription
- osv-coords8 versionspkg:bitnami/phpmyadminpkg:composer/phpmyadmin/phpmyadminpkg:rpm/opensuse/phpMyAdmin&distro=openSUSE%20Leap%2015.1pkg:rpm/opensuse/phpMyAdmin&distro=openSUSE%20Leap%2015.2pkg:rpm/suse/phpMyAdmin&distro=SUSE%20Package%20Hub%2012pkg:rpm/suse/phpMyAdmin&distro=SUSE%20Package%20Hub%2015pkg:rpm/suse/phpMyAdmin&distro=SUSE%20Package%20Hub%2015%20SP1pkg:rpm/suse/phpMyAdmin&distro=SUSE%20Package%20Hub%2015%20SP2
>= 4.9.0, < 4.9.6+ 7 more
- (no CPE)range: >= 4.9.0, < 4.9.6
- (no CPE)range: >= 4.9.0, < 4.9.6
- (no CPE)range: < 4.9.6-bp152.2.3.1
- (no CPE)range: < 4.9.6-bp152.2.3.1
- (no CPE)range: < 4.9.6-bp152.2.3.1
- (no CPE)range: < 4.9.7-bp151.3.24.1
- (no CPE)range: < 4.9.6-bp152.2.3.1
- (no CPE)range: < 4.9.6-bp152.2.3.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
16- lists.opensuse.org/opensuse-security-announce/2020-10/msg00027.htmlghsavendor-advisoryx_refsource_SUSEWEB
- lists.opensuse.org/opensuse-security-announce/2020-11/msg00005.htmlghsavendor-advisoryx_refsource_SUSEWEB
- github.com/advisories/GHSA-7ff4-cv53-4cjqghsaADVISORY
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FHST4E5IJG7IKZTTW3R6MEZPVHJZ472K/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PXK37YEHSDYCIPQSYEMN2OFTP2ZLM7DO/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TNLGHVDNAEZEGRTUESSSQFM7MZTHIDQ5/mitrevendor-advisoryx_refsource_FEDORA
- nvd.nist.gov/vuln/detail/CVE-2020-26935ghsaADVISORY
- security.gentoo.org/glsa/202101-35ghsavendor-advisoryx_refsource_GENTOOWEB
- advisory.checkmarx.net/advisory/CX-2020-4281ghsax_refsource_MISCWEB
- github.com/FriendsOfPHP/security-advisories/blob/master/phpmyadmin/phpmyadmin/CVE-2020-26935.yamlghsaWEB
- lists.debian.org/debian-lts-announce/2020/10/msg00024.htmlghsamailing-listx_refsource_MLISTWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FHST4E5IJG7IKZTTW3R6MEZPVHJZ472KghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PXK37YEHSDYCIPQSYEMN2OFTP2ZLM7DOghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TNLGHVDNAEZEGRTUESSSQFM7MZTHIDQ5ghsaWEB
- www.phpmyadmin.net/security/PMASA-2020-6ghsaWEB
- www.phpmyadmin.net/security/PMASA-2020-6/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.