Vendor
PhpMyAdmin
phpMyAdmin is a free and open source administration tool for MySQL and MariaDB. As a portable web application written primarily in PHP, it has become one of the most popular MySQL administration tools, especially for web hosting services.
Founded 1998
Products
2
CVEs
270
Across products
7,815
Status
Private
Products
2- 7,021 CVEs
- 794 CVEs
Recent CVEs
270| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2009-1151 | Cri | 0.86 | 9.8 | 0.93 | KEV | Mar 26, 2009 | Static code injection vulnerability in setup.php in phpMyAdmin 2.11.x before 2.11.9.5 and 3.x before 3.1.3.1 allows remote attackers to inject arbitrary PHP code into a configuration file via the save action. |
| CVE-2017-11187 | Cri | 0.64 | 9.8 | 0.00 | Jul 12, 2017 | phpMyFAQ before 2.9.8 does not properly mitigate brute-force attacks that try many passwords in attempted logins quickly. | |
| CVE-2016-9866 | Cri | 0.64 | 9.8 | 0.00 | Dec 11, 2016 | An issue was discovered in phpMyAdmin. When the arg_separator is different from its default & value, the CSRF token was not properly stripped from the return URL of the preference import action. All 4.6.x versions (prior to 4.6.5), 4.4.x versions (prior to 4.4.15.9), and 4.0.x versions (prior to 4.0.10.18) are affected. | |
| CVE-2016-9865 | Cri | 0.64 | 9.8 | 0.00 | Dec 11, 2016 | An issue was discovered in phpMyAdmin. Due to a bug in serialized string parsing, it was possible to bypass the protection offered by PMA_safeUnserialize() function. All 4.6.x versions (prior to 4.6.5), 4.4.x versions (prior to 4.4.15.9), and 4.0.x versions (prior to 4.0.10.18) are affected. | |
| CVE-2016-9849 | Cri | 0.64 | 9.8 | 0.00 | Dec 11, 2016 | An issue was discovered in phpMyAdmin. It is possible to bypass AllowRoot restriction ($cfg['Servers'][$i]['AllowRoot']) and deny rules for username by using Null Byte in the username. All 4.6.x versions (prior to 4.6.5), 4.4.x versions (prior to 4.4.15.9), and 4.0.x versions (prior to 4.0.10.18) are affected. | |
| CVE-2016-6629 | Cri | 0.64 | 9.8 | 0.00 | Dec 11, 2016 | An issue was discovered in phpMyAdmin involving the $cfg['ArbitraryServerRegexp'] configuration directive. An attacker could reuse certain cookie values in a way of bypassing the servers defined by ArbitraryServerRegexp. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected. | |
| CVE-2016-6620 | Cri | 0.64 | 9.8 | 0.02 | Dec 11, 2016 | An issue was discovered in phpMyAdmin. Some data is passed to the PHP unserialize() function without verification that it's valid serialized data. The unserialization can result in code execution because of the interaction with object instantiation and autoloading. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected. | |
| CVE-2016-5703 | Cri | 0.64 | 9.8 | 0.02 | Jul 3, 2016 | SQL injection vulnerability in libraries/central_columns.lib.php in phpMyAdmin 4.4.x before 4.4.15.7 and 4.6.x before 4.6.3 allows remote attackers to execute arbitrary SQL commands via a crafted database name that is mishandled in a central column query. | |
| CVE-2017-15808 | Hig | 0.60 | 8.8 | 0.00 | Oct 23, 2017 | In phpMyFaq before 2.9.9, there is CSRF in admin/ajax.config.php. | |
| CVE-2017-15735 | Hig | 0.60 | 8.8 | 0.00 | Oct 22, 2017 | In phpMyFAQ before 2.9.9, there is Cross-Site Request Forgery (CSRF) for modifying a glossary. | |
| CVE-2017-15734 | Hig | 0.60 | 8.8 | 0.00 | Oct 22, 2017 | In phpMyFAQ before 2.9.9, there is Cross-Site Request Forgery (CSRF) in admin/stat.main.php. | |
| CVE-2017-15730 | Hig | 0.60 | 8.8 | 0.00 | Oct 22, 2017 | In phpMyFAQ before 2.9.9, there is Cross-Site Request Forgery (CSRF) in admin/stat.ratings.php. | |
| CVE-2026-34728 | Hig | 0.57 | 8.7 | 0.00 | Apr 2, 2026 | phpMyFAQ is an open source FAQ web application. Prior to version 4.1.1, the MediaBrowserController::index() method handles file deletion for the media browser. When the fileRemove action is triggered, the user-supplied name parameter is concatenated with the base upload directory path without any path traversal validation. The FILTER_SANITIZE_SPECIAL_CHARS filter only encodes HTML special characters (&, ', ", <, >) and characters with ASCII value < 32, and does not prevent directory traversal sequences like ../. Additionally, the endpoint does not validate CSRF tokens, making it exploitable via CSRF attacks. This issue has been patched in version 4.1.1. | |
| CVE-2017-15733 | Hig | 0.57 | 8.8 | 0.00 | Oct 22, 2017 | In phpMyFAQ before 2.9.9, there is Cross-Site Request Forgery (CSRF) in admin/ajax.attachment.php and admin/att.main.php. | |
| CVE-2017-15732 | Hig | 0.57 | 8.8 | 0.00 | Oct 22, 2017 | In phpMyFAQ before 2.9.9, there is Cross-Site Request Forgery (CSRF) in admin/news.php. | |
| CVE-2017-15731 | Hig | 0.57 | 8.8 | 0.00 | Oct 22, 2017 | In phpMyFAQ before 2.9.9, there is Cross-Site Request Forgery (CSRF) in admin/stat.adminlog.php. | |
| CVE-2017-15729 | Hig | 0.57 | 8.8 | 0.00 | Oct 22, 2017 | In phpMyFAQ before 2.9.9, there is Cross-Site Request Forgery (CSRF) for adding a glossary. | |
| CVE-2017-1000017 | Hig | 0.57 | 8.8 | 0.01 | Jul 17, 2017 | phpMyAdmin 4.0, 4.4 and 4.6 are vulnerable to a weakness where a user with appropriate permissions is able to connect to an arbitrary MySQL server | |
| CVE-2016-6619 | Hig | 0.57 | 8.8 | 0.00 | Dec 11, 2016 | An issue was discovered in phpMyAdmin. In the user interface preference feature, a user can execute an SQL injection attack against the account of the control user. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected. | |
| CVE-2016-6609 | Hig | 0.57 | 8.8 | 0.00 | Dec 11, 2016 | An issue was discovered in phpMyAdmin. A specially crafted database name could be used to run arbitrary PHP commands through the array export feature. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected. |