CVE-2025-24530
Description
An issue was discovered in phpMyAdmin 5.x before 5.2.2. An XSS vulnerability has been discovered for the check tables feature. A crafted table or database name could be used for XSS.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An XSS vulnerability in phpMyAdmin's check tables feature allows attackers to inject arbitrary web scripts via crafted table/database names.
Overview
CVE-2025-24530 is a cross-site scripting (XSS) vulnerability in phpMyAdmin's "Check tables" feature, affecting versions 5.x prior to 5.2.2 [1][2]. The root cause is insufficient sanitization of table and database names, allowing specially-crafted names to execute arbitrary HTML/JavaScript code.
Exploitation
To exploit this, an attacker must have the ability to create a database or table with a malicious name, which typically requires database creation privileges. When a phpMyAdmin user (e.g., an administrator) triggers the "Check tables" operation on the affected database, the crafted name is processed without proper escaping, leading to script injection in the admin's browser session [2].
Impact
Successful exploitation enables the attacker to execute arbitrary JavaScript in the context of the phpMyAdmin interface. This could lead to session hijacking, sensitive data exfiltration, or further attacks against the database server, depending on the victim's privileges [2].
Mitigation
The vulnerability is fixed in phpMyAdmin 5.2.2, released on 2025-01-20. Users should upgrade immediately or apply the provided patch. Debian LTS has also released an update [1][2]. No workarounds have been disclosed, so upgrading is the recommended action.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
phpmyadmin/phpmyadminPackagist | >= 5.0.0, < 5.2.2 | 5.2.2 |
Affected products
6>= 5.0.0, < 5.2.2+ 1 more
- (no CPE)range: >= 5.0.0, < 5.2.2
- (no CPE)range: <5.2.2
- osv-coords4 versionspkg:bitnami/phpmyadminpkg:composer/phpmyadmin/phpmyadminpkg:rpm/opensuse/phpMyAdmin&distro=openSUSE%20Leap%2015.6pkg:rpm/suse/phpMyAdmin&distro=SUSE%20Package%20Hub%2015%20SP6
>= 5.0.0, < 5.2.2+ 3 more
- (no CPE)range: >= 5.0.0, < 5.2.2
- (no CPE)range: >= 5.0.0, < 5.2.2
- (no CPE)range: < 5.2.2-bp156.4.3.1
- (no CPE)range: < 5.2.2-bp156.4.3.1
Patches
123c13a817097Fix unescaped table name when checking tables
1 file changed · +2 −1
libraries/classes/Table/Maintenance.php+2 −1 modified@@ -13,6 +13,7 @@ use PhpMyAdmin\Util; use function __; +use function htmlspecialchars; use function implode; use function sprintf; @@ -119,7 +120,7 @@ public function getIndexesProblems(DatabaseName $db, array $tables): string continue; } - $indexesProblems .= sprintf(__('Problems with indexes of table `%s`'), $table->getName()); + $indexesProblems .= htmlspecialchars(sprintf(__('Problems with indexes of table `%s`'), $table->getName())); $indexesProblems .= $check; }
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-222v-cx2c-q2f5ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-24530ghsaADVISORY
- github.com/phpmyadmin/phpmyadmin/commit/23c13a81709728089ff031e5b1c29b5e91baa6a7ghsaWEB
- lists.debian.org/debian-lts-announce/2025/04/msg00016.htmlnvdWEB
- www.phpmyadmin.net/security/PMASA-2025-1ghsaWEB
- www.phpmyadmin.net/security/PMASA-2025-1/nvd
News mentions
0No linked articles in our index yet.