phpMyAdmin
by PhpMyAdmin
Source repositories
CVEs (257)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2013-3241 | 0.03 | — | 0.04 | Apr 26, 2013 | export.php (aka the export script) in phpMyAdmin 4.x before 4.0.0-rc3 overwrites global variables on the basis of the contents of the POST superglobal array, which allows remote authenticated users to inject values via a crafted request. | |||
| CVE-2013-3240 | 0.03 | — | 0.05 | Apr 26, 2013 | Directory traversal vulnerability in the Export feature in phpMyAdmin 4.x before 4.0.0-rc3 allows remote authenticated users to read arbitrary files or possibly have unspecified other impact via a parameter that specifies a crafted export type. | |||
| CVE-2010-4480 | 0.03 | — | 0.06 | Dec 8, 2010 | error.php in PhpMyAdmin 3.3.8.1, and other versions before 3.4.0-beta1, allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted BBcode tag containing "@" characters, as demonstrated using "[a@url@page]". | |||
| CVE-2008-5621 | 0.03 | — | 0.02 | Dec 17, 2008 | Cross-site request forgery (CSRF) vulnerability in phpMyAdmin 2.11.x before 2.11.9.4 and 3.x before 3.1.1.0 allows remote attackers to perform unauthorized actions as the administrator via a link or IMG tag to tbl_structure.php with a modified table parameter. NOTE: other… | |||
| CVE-2008-4775 | 0.03 | — | 0.06 | Oct 28, 2008 | Cross-site scripting (XSS) vulnerability in pmd_pdf.php in phpMyAdmin 3.0.0, and possibly other versions including 2.11.9.2 and 3.0.1, when register_globals is enabled, allows remote attackers to inject arbitrary web script or HTML via the db parameter, a different vector than… | |||
| CVE-2007-5589 | 0.03 | — | 0.03 | Oct 19, 2007 | Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin before 2.11.1.2 allow remote attackers to inject arbitrary web script or HTML via certain input available in (1) PHP_SELF in (a) server_status.php, and (b) grab_globals.lib.php, (c)… | |||
| CVE-2007-5386 | 0.03 | — | 0.03 | Oct 12, 2007 | Cross-site scripting (XSS) vulnerability in scripts/setup.php in phpMyAdmin 2.11.1, when accessed by a browser that does not URL-encode requests, allows remote attackers to inject arbitrary web script or HTML via the query string. | |||
| CVE-2006-6943 | 0.03 | — | 0.04 | Jan 19, 2007 | PhpMyAdmin before 2.9.1.1 allows remote attackers to obtain the full server path via direct requests to (a) scripts/check_lang.php and (b) themes/darkblue_orange/layout.inc.php; and via the (1) lang[], (2) target[], (3) db[], (4) goto[], (5) table[], and (6) tbl_group[] array… | |||
| CVE-2006-6942 | 0.03 | — | 0.03 | Jan 19, 2007 | Multiple cross-site scripting (XSS) vulnerabilities in PhpMyAdmin before 2.9.1.1 allow remote attackers to inject arbitrary HTML or web script via (1) a comment for a table name, as exploited through (a) db_operations.php, (2) the db parameter to (b) db_create.php, (3) the… | |||
| CVE-2006-1803 | 0.03 | — | 0.03 | Apr 18, 2006 | Cross-site scripting (XSS) vulnerability in sql.php in phpMyAdmin 2.7.0-pl1 allows remote attackers to inject arbitrary web script or HTML via the sql_query parameter. | |||
| CVE-2006-1258 | 0.03 | — | 0.03 | Mar 19, 2006 | Cross-site scripting (XSS) vulnerability in phpMyAdmin 2.8.0.1 allows remote attackers to inject arbitrary web script or HTML via the set_theme parameter. | |||
| CVE-2005-3301 | 0.03 | — | 0.06 | Oct 24, 2005 | Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin before 2.6.4-pl3 allow remote attackers to inject arbitrary web script or HTML via certain arguments to (1) left.php, (2) queryframe.php, or (3) server_databases.php. | |||
| CVE-2005-2869 | 0.03 | — | 0.05 | Sep 8, 2005 | Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin before 2.6.4 allow remote attackers to inject arbitrary web script or HTML via (1) the Username to libraries/auth/cookie.auth.lib.php or (2) the error parameter to error.php. | |||
| CVE-2005-0992 | 0.03 | — | 0.04 | May 2, 2005 | Cross-site scripting (XSS) vulnerability in index.php in phpMyAdmin before 2.6.2-rc1 allows remote attackers to inject arbitrary web script or HTML via the convcharset parameter. | |||
| CVE-2005-0543 | 0.03 | — | 0.04 | Feb 24, 2005 | Cross-site scripting (XSS) vulnerability in phpMyAdmin 2.6.1 allows remote attackers to inject arbitrary HTML and web script via (1) the strServer, cfg[BgcolorOne], or strServerChoice parameters in select_server.lib.php, (2) the bg_color or row_no parameters in… | |||
| CVE-2010-3055 | 0.01 | — | 0.15 | Aug 24, 2010 | The configuration setup script (aka scripts/setup.php) in phpMyAdmin 2.11.x before 2.11.10.1 does not properly restrict key names in its output file, which allows remote attackers to execute arbitrary PHP code via a crafted POST request. | |||
| CVE-2019-25454 | 0.00 | — | 0.00 | Feb 20, 2026 | phpMoAdmin 1.1.5 contains a stored cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating the collection parameter. Attackers can send GET requests to moadmin.php with script payloads in the collection parameter… | |||
| CVE-2019-25453 | 0.00 | — | 0.00 | Feb 20, 2026 | phpMoAdmin 1.1.5 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating the newdb parameter. Attackers can craft URLs with JavaScript payloads in the newdb parameter of moadmin.php to execute… | |||
| CVE-2019-25451 | 0.00 | — | 0.00 | Feb 20, 2026 | phpMoAdmin 1.1.5 contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized database operations by crafting malicious requests. Attackers can trick authenticated users into submitting GET requests to moadmin.php with parameters like action,… | |||
| CVE-2020-37116 | 0.00 | — | 0.00 | Feb 3, 2026 | GUnet OpenEclass 1.7.3 includes phpMyAdmin 2.10.0.2 by default, which allows remote logins. Attackers with access to the platform can remotely access phpMyAdmin and, after uploading a shell, view the config.php file to obtain the MySQL password, leading to full database… |
- CVE-2013-3241Apr 26, 2013risk 0.03cvss —epss 0.04
export.php (aka the export script) in phpMyAdmin 4.x before 4.0.0-rc3 overwrites global variables on the basis of the contents of the POST superglobal array, which allows remote authenticated users to inject values via a crafted request.
- CVE-2013-3240Apr 26, 2013risk 0.03cvss —epss 0.05
Directory traversal vulnerability in the Export feature in phpMyAdmin 4.x before 4.0.0-rc3 allows remote authenticated users to read arbitrary files or possibly have unspecified other impact via a parameter that specifies a crafted export type.
- CVE-2010-4480Dec 8, 2010risk 0.03cvss —epss 0.06
error.php in PhpMyAdmin 3.3.8.1, and other versions before 3.4.0-beta1, allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted BBcode tag containing "@" characters, as demonstrated using "[a@url@page]".
- CVE-2008-5621Dec 17, 2008risk 0.03cvss —epss 0.02
Cross-site request forgery (CSRF) vulnerability in phpMyAdmin 2.11.x before 2.11.9.4 and 3.x before 3.1.1.0 allows remote attackers to perform unauthorized actions as the administrator via a link or IMG tag to tbl_structure.php with a modified table parameter. NOTE: other…
- CVE-2008-4775Oct 28, 2008risk 0.03cvss —epss 0.06
Cross-site scripting (XSS) vulnerability in pmd_pdf.php in phpMyAdmin 3.0.0, and possibly other versions including 2.11.9.2 and 3.0.1, when register_globals is enabled, allows remote attackers to inject arbitrary web script or HTML via the db parameter, a different vector than…
- CVE-2007-5589Oct 19, 2007risk 0.03cvss —epss 0.03
Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin before 2.11.1.2 allow remote attackers to inject arbitrary web script or HTML via certain input available in (1) PHP_SELF in (a) server_status.php, and (b) grab_globals.lib.php, (c)…
- CVE-2007-5386Oct 12, 2007risk 0.03cvss —epss 0.03
Cross-site scripting (XSS) vulnerability in scripts/setup.php in phpMyAdmin 2.11.1, when accessed by a browser that does not URL-encode requests, allows remote attackers to inject arbitrary web script or HTML via the query string.
- CVE-2006-6943Jan 19, 2007risk 0.03cvss —epss 0.04
PhpMyAdmin before 2.9.1.1 allows remote attackers to obtain the full server path via direct requests to (a) scripts/check_lang.php and (b) themes/darkblue_orange/layout.inc.php; and via the (1) lang[], (2) target[], (3) db[], (4) goto[], (5) table[], and (6) tbl_group[] array…
- CVE-2006-6942Jan 19, 2007risk 0.03cvss —epss 0.03
Multiple cross-site scripting (XSS) vulnerabilities in PhpMyAdmin before 2.9.1.1 allow remote attackers to inject arbitrary HTML or web script via (1) a comment for a table name, as exploited through (a) db_operations.php, (2) the db parameter to (b) db_create.php, (3) the…
- CVE-2006-1803Apr 18, 2006risk 0.03cvss —epss 0.03
Cross-site scripting (XSS) vulnerability in sql.php in phpMyAdmin 2.7.0-pl1 allows remote attackers to inject arbitrary web script or HTML via the sql_query parameter.
- CVE-2006-1258Mar 19, 2006risk 0.03cvss —epss 0.03
Cross-site scripting (XSS) vulnerability in phpMyAdmin 2.8.0.1 allows remote attackers to inject arbitrary web script or HTML via the set_theme parameter.
- CVE-2005-3301Oct 24, 2005risk 0.03cvss —epss 0.06
Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin before 2.6.4-pl3 allow remote attackers to inject arbitrary web script or HTML via certain arguments to (1) left.php, (2) queryframe.php, or (3) server_databases.php.
- CVE-2005-2869Sep 8, 2005risk 0.03cvss —epss 0.05
Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin before 2.6.4 allow remote attackers to inject arbitrary web script or HTML via (1) the Username to libraries/auth/cookie.auth.lib.php or (2) the error parameter to error.php.
- CVE-2005-0992May 2, 2005risk 0.03cvss —epss 0.04
Cross-site scripting (XSS) vulnerability in index.php in phpMyAdmin before 2.6.2-rc1 allows remote attackers to inject arbitrary web script or HTML via the convcharset parameter.
- CVE-2005-0543Feb 24, 2005risk 0.03cvss —epss 0.04
Cross-site scripting (XSS) vulnerability in phpMyAdmin 2.6.1 allows remote attackers to inject arbitrary HTML and web script via (1) the strServer, cfg[BgcolorOne], or strServerChoice parameters in select_server.lib.php, (2) the bg_color or row_no parameters in…
- CVE-2010-3055Aug 24, 2010risk 0.01cvss —epss 0.15
The configuration setup script (aka scripts/setup.php) in phpMyAdmin 2.11.x before 2.11.10.1 does not properly restrict key names in its output file, which allows remote attackers to execute arbitrary PHP code via a crafted POST request.
- CVE-2019-25454Feb 20, 2026risk 0.00cvss —epss 0.00
phpMoAdmin 1.1.5 contains a stored cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating the collection parameter. Attackers can send GET requests to moadmin.php with script payloads in the collection parameter…
- CVE-2019-25453Feb 20, 2026risk 0.00cvss —epss 0.00
phpMoAdmin 1.1.5 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating the newdb parameter. Attackers can craft URLs with JavaScript payloads in the newdb parameter of moadmin.php to execute…
- CVE-2019-25451Feb 20, 2026risk 0.00cvss —epss 0.00
phpMoAdmin 1.1.5 contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized database operations by crafting malicious requests. Attackers can trick authenticated users into submitting GET requests to moadmin.php with parameters like action,…
- CVE-2020-37116Feb 3, 2026risk 0.00cvss —epss 0.00
GUnet OpenEclass 1.7.3 includes phpMyAdmin 2.10.0.2 by default, which allows remote logins. Attackers with access to the platform can remotely access phpMyAdmin and, after uploading a shell, view the config.php file to obtain the MySQL password, leading to full database…
Page 6 of 13