VYPR

Vendor CVEs

PhpMyAdmin

All CVEs

313 total · sorted by risk
  • CVE-2016-5706HigJul 3, 2016
    risk 0.42cvss 7.5epss 0.03

    js/get_scripts.js.php in phpMyAdmin 4.0.x before 4.0.10.16, 4.4.x before 4.4.15.7, and 4.6.x before 4.6.3 allows remote attackers to cause a denial of service via a large array in the scripts parameter.

  • CVE-2016-2041HigFeb 20, 2016
    risk 0.42cvss 7.5epss 0.03

    libraries/common.inc.php in phpMyAdmin 4.0.x before 4.0.10.13, 4.4.x before 4.4.15.3, and 4.5.x before 4.5.4 does not use a constant-time algorithm for comparing CSRF tokens, which makes it easier for remote attackers to bypass intended access restrictions by measuring time…

  • CVE-2016-1927HigFeb 20, 2016
    risk 0.42cvss 7.5epss 0.03

    The suggestPassword function in js/functions.js in phpMyAdmin 4.0.x before 4.0.10.13, 4.4.x before 4.4.15.3, and 4.5.x before 4.5.4 relies on the Math.random JavaScript function, which makes it easier for remote attackers to guess passwords via a brute-force approach.

  • CVE-2016-6628MedDec 11, 2016
    risk 0.41cvss 6.3epss 0.01

    An issue was discovered in phpMyAdmin. An attacker may be able to trigger a user to download a specially crafted malicious SVG file. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected.

  • CVE-2005-4349MedDec 19, 2005
    risk 0.41cvss 6.3epss 0.01

    SQL injection vulnerability in server_privileges.php in phpMyAdmin 2.7.0 allows remote authenticated users to execute arbitrary SQL commands via the (1) dbname and (2) checkprivs parameters. NOTE: the vendor and a third party have disputed this issue, saying that the main task…

  • CVE-2018-15899MedAug 27, 2018
    risk 0.40cvss 6.1epss 0.01

    An issue was discovered in MiniCMS 1.10. There is a post.php?date= XSS vulnerability.

  • CVE-2017-15809MedOct 23, 2017
    risk 0.40cvss 6.1epss 0.01

    In phpMyFaq before 2.9.9, there is XSS in admin/tags.main.php via a crafted tag.

  • CVE-2017-1000015MedJul 17, 2017
    risk 0.40cvss 6.1epss 0.01

    phpMyAdmin 4.0, 4.4, and 4.6 are vulnerable to a CSS injection attack through crafted cookie parameters

  • CVE-2017-1000013MedJul 17, 2017
    risk 0.40cvss 6.1epss 0.01

    phpMyAdmin 4.0, 4.4, and 4.6 are vulnerable to an open redirect weakness

  • CVE-2017-7579MedApr 7, 2017
    risk 0.40cvss 6.1epss 0.01

    inc/PMF/Faq.php in phpMyFAQ before 2.9.7 has XSS in the question field.

  • CVE-2016-9857MedDec 11, 2016
    risk 0.40cvss 6.1epss 0.01

    An issue was discovered in phpMyAdmin. XSS is possible because of a weakness in a regular expression used in some JavaScript processing. All 4.6.x versions (prior to 4.6.5), 4.4.x versions (prior to 4.4.15.9), and 4.0.x versions (prior to 4.0.10.18) are affected.

  • CVE-2016-9856MedDec 11, 2016
    risk 0.40cvss 6.1epss 0.01

    An XSS issue was discovered in phpMyAdmin because of an improper fix for CVE-2016-2559 in PMASA-2016-10. This issue is resolved by using a copy of a hash to avoid a race condition. All 4.6.x versions (prior to 4.6.5), 4.4.x versions (prior to 4.4.15.9), and 4.0.x versions (prior…

  • CVE-2016-6615MedDec 11, 2016
    risk 0.40cvss 6.1epss 0.01

    XSS issues were discovered in phpMyAdmin. This affects navigation pane and database/table hiding feature (a specially-crafted database name can be used to trigger an XSS attack); the "Tracking" feature (a specially-crafted query can be used to trigger an XSS attack); and GIS…

  • CVE-2016-6608MedDec 11, 2016
    risk 0.40cvss 6.1epss 0.01

    XSS issues were discovered in phpMyAdmin. This affects the database privilege check and the "Remove partitioning" functionality. Specially crafted database names can trigger the XSS attack. All 4.6.x versions (prior to 4.6.4) are affected.

  • CVE-2016-6607MedDec 11, 2016
    risk 0.40cvss 6.1epss 0.01

    XSS issues were discovered in phpMyAdmin. This affects Zoom search (specially crafted column content can be used to trigger an XSS attack); GIS editor (certain fields in the graphical GIS editor are not properly escaped and can be used to trigger an XSS attack); Relation view;…

  • CVE-2016-5099MedJul 5, 2016
    risk 0.40cvss 6.1epss 0.01

    Cross-site scripting (XSS) vulnerability in phpMyAdmin 4.4.x before 4.4.15.6 and 4.6.x before 4.6.2 allows remote attackers to inject arbitrary web script or HTML via special characters that are mishandled during double URL decoding.

  • CVE-2016-2560MedMar 1, 2016
    risk 0.40cvss 6.1epss 0.03

    Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.0.x before 4.0.10.15, 4.4.x before 4.4.15.5, and 4.5.x before 4.5.5.1 allow remote attackers to inject arbitrary web script or HTML via (1) a crafted Host HTTP header, related to libraries/Config.class.php; (2)…

  • CVE-2016-9860MedDec 11, 2016
    risk 0.39cvss 5.9epss 0.02

    An issue was discovered in phpMyAdmin. An unauthenticated user can execute a denial of service attack when phpMyAdmin is running with $cfg['AllowArbitraryServer']=true. All 4.6.x versions (prior to 4.6.5), 4.4.x versions (prior to 4.4.15.9), and 4.0.x versions (prior to…

  • CVE-2016-6632MedDec 11, 2016
    risk 0.39cvss 5.9epss 0.02

    An issue was discovered in phpMyAdmin where, under certain conditions, phpMyAdmin may not delete temporary files during the import of ESRI files. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected.

  • CVE-2016-6624MedDec 11, 2016
    risk 0.39cvss 5.9epss 0.02

    An issue was discovered in phpMyAdmin involving improper enforcement of the IP-based authentication rules. When phpMyAdmin is used with IPv6 in a proxy server environment, and the proxy server is in the allowed range but the attacking computer is not allowed, this vulnerability…

  • CVE-2011-4107MedNov 17, 2011
    risk 0.39cvss 6.5epss 0.13

    The simplexml_load_string function in the XML import plug-in (libraries/import/xml.php) in phpMyAdmin 3.4.x before 3.4.7.1 and 3.3.x before 3.3.10.5 allows remote authenticated users to read arbitrary files via XML data containing external entity references, aka an XML external…

  • CVE-2017-15727MedOct 22, 2017
    risk 0.38cvss 5.4epss 0.02

    In phpMyFAQ before 2.9.9, there is Stored Cross-site Scripting (XSS) via an HTML attachment.

  • CVE-2016-6622MedDec 11, 2016
    risk 0.38cvss 5.9epss 0.02

    An issue was discovered in phpMyAdmin. An unauthenticated user is able to execute a denial-of-service (DoS) attack by forcing persistent connections when phpMyAdmin is running with $cfg['AllowArbitraryServer']=true. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to…

  • CVE-2016-2562MedMar 1, 2016
    risk 0.37cvss 6.8epss 0.01

    The checkHTTP function in libraries/Config.class.php in phpMyAdmin 4.5.x before 4.5.5.1 does not verify X.509 certificates from api.github.com SSL servers, which allows man-in-the-middle attackers to spoof these servers and obtain sensitive information via a crafted certificate.

  • CVE-2013-1937MedApr 16, 2013
    risk 0.36cvss 6.1epss 0.05

    Multiple cross-site scripting (XSS) vulnerabilities in tbl_gis_visualization.php in phpMyAdmin 3.5.x before 3.5.8 might allow remote attackers to inject arbitrary web script or HTML via the (1) visualizationSettings[width] or (2) visualizationSettings[height] parameter. NOTE: a…

  • CVE-2008-1567MedMar 31, 2008
    risk 0.36cvss 5.5epss 0.00

    phpMyAdmin before 2.11.5.1 stores the MySQL (1) username and (2) password, and the (3) Blowfish secret key, in cleartext in a Session file under /tmp, which allows local users to obtain sensitive information.

  • CVE-2025-24530MedJan 23, 2025
    risk 0.35cvss 6.4epss 0.00

    An issue was discovered in phpMyAdmin 5.x before 5.2.2. An XSS vulnerability has been discovered for the check tables feature. A crafted table or database name could be used for XSS.

  • CVE-2016-9859MedDec 11, 2016
    risk 0.35cvss 5.3epss 0.02

    An issue was discovered in phpMyAdmin. With a crafted request parameter value it is possible to initiate a denial of service attack in import feature. All 4.6.x versions (prior to 4.6.5), 4.4.x versions (prior to 4.4.15.9), and 4.0.x versions (prior to 4.0.10.18) are affected.

  • CVE-2016-9858MedDec 11, 2016
    risk 0.35cvss 5.3epss 0.02

    An issue was discovered in phpMyAdmin. With a crafted request parameter value it is possible to initiate a denial of service attack in saved searches feature. All 4.6.x versions (prior to 4.6.5), 4.4.x versions (prior to 4.4.15.9), and 4.0.x versions (prior to 4.0.10.18) are…

  • CVE-2016-9855MedDec 11, 2016
    risk 0.35cvss 5.3epss 0.03

    An issue was discovered in phpMyAdmin. By calling some scripts that are part of phpMyAdmin in an unexpected way, it is possible to trigger phpMyAdmin to display a PHP error message which contains the full path of the directory where phpMyAdmin is installed. During an execution…

  • CVE-2016-9854MedDec 11, 2016
    risk 0.35cvss 5.3epss 0.02

    An issue was discovered in phpMyAdmin. By calling some scripts that are part of phpMyAdmin in an unexpected way, it is possible to trigger phpMyAdmin to display a PHP error message which contains the full path of the directory where phpMyAdmin is installed. During an execution…

  • CVE-2016-9853MedDec 11, 2016
    risk 0.35cvss 5.3epss 0.03

    An issue was discovered in phpMyAdmin. By calling some scripts that are part of phpMyAdmin in an unexpected way, it is possible to trigger phpMyAdmin to display a PHP error message which contains the full path of the directory where phpMyAdmin is installed. During an execution…

  • CVE-2016-9852MedDec 11, 2016
    risk 0.35cvss 5.3epss 0.02

    An issue was discovered in phpMyAdmin. By calling some scripts that are part of phpMyAdmin in an unexpected way, it is possible to trigger phpMyAdmin to display a PHP error message which contains the full path of the directory where phpMyAdmin is installed. During an execution…

  • CVE-2016-9851MedDec 11, 2016
    risk 0.35cvss 5.3epss 0.01

    An issue was discovered in phpMyAdmin. With a crafted request parameter value it is possible to bypass the logout timeout. All 4.6.x versions (prior to 4.6.5), and 4.4.x versions (prior to 4.4.15.9) are affected.

  • CVE-2016-9850MedDec 11, 2016
    risk 0.35cvss 5.3epss 0.02

    An issue was discovered in phpMyAdmin. Username matching for the allow/deny rules may result in wrong matches and detection of the username in the rule due to non-constant execution time. All 4.6.x versions (prior to 4.6.5), 4.4.x versions (prior to 4.4.15.9), and 4.0.x versions…

  • CVE-2016-9848MedDec 11, 2016
    risk 0.35cvss 5.3epss 0.01

    An issue was discovered in phpMyAdmin. phpinfo (phpinfo.php) shows PHP information including values of HttpOnly cookies. All 4.6.x versions (prior to 4.6.5), 4.4.x versions (prior to 4.4.15.9), and 4.0.x versions (prior to 4.0.10.18) are affected.

  • CVE-2016-9847MedDec 11, 2016
    risk 0.35cvss 5.3epss 0.02

    An issue was discovered in phpMyAdmin. When the user does not specify a blowfish_secret key for encrypting cookies, phpMyAdmin generates one at runtime. A vulnerability was reported where the way this value is created uses a weak algorithm. This could allow an attacker to…

  • CVE-2016-6627MedDec 11, 2016
    risk 0.35cvss 5.3epss 0.01

    An issue was discovered in phpMyAdmin. An attacker can determine the phpMyAdmin host location through the file url.php. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected.

  • CVE-2016-6626MedDec 11, 2016
    risk 0.35cvss 5.4epss 0.01

    An issue was discovered in phpMyAdmin. An attacker could redirect a user to a malicious web page. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected.

  • CVE-2016-6613MedDec 11, 2016
    risk 0.35cvss 5.3epss 0.02

    An issue was discovered in phpMyAdmin. A user can specially craft a symlink on disk, to a file which phpMyAdmin is permitted to read but the user is not, which phpMyAdmin will then expose to the user. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and…

  • CVE-2016-5098MedJul 5, 2016
    risk 0.35cvss 5.3epss 0.02

    Directory traversal vulnerability in libraries/error_report.lib.php in phpMyAdmin before 4.6.2-prerelease allows remote attackers to determine the existence of arbitrary files by triggering an error.

  • CVE-2016-5097MedJul 5, 2016
    risk 0.35cvss 5.3epss 0.01

    phpMyAdmin before 4.6.2 places tokens in query strings and does not arrange for them to be stripped before external navigation, which allows remote attackers to obtain sensitive information by reading (1) HTTP requests or (2) server logs.

  • CVE-2016-2561MedMar 1, 2016
    risk 0.35cvss 5.4epss 0.02

    Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.4.x before 4.4.15.5 and 4.5.x before 4.5.5.1 allow remote authenticated users to inject arbitrary web script or HTML via (1) normalization.php or (2) js/normalization.js in the database normalization page, (3)…

  • CVE-2004-2257MedDec 31, 2004
    risk 0.35cvss 5.3epss 0.02

    phpMyFAQ 1.4.0 allows remote attackers to access the Image Manager to upload or delete images without authorization via a direct request.

  • CVE-2026-34973MedApr 2, 2026
    risk 0.34cvss 5.3epss 0.00

    phpMyFAQ is an open source FAQ web application. Prior to version 4.1.1, the searchCustomPages() method in phpmyfaq/src/phpMyFAQ/Search.php uses real_escape_string() (via escape()) to sanitize the search term before embedding it in LIKE clauses. However, real_escape_string() does…

  • CVE-2017-14618MedSep 20, 2017
    risk 0.34cvss 4.8epss 0.02

    Cross-site scripting (XSS) vulnerability in inc/PMF/Faq.php in phpMyFAQ through 2.9.8 allows remote attackers to inject arbitrary web script or HTML via the Questions field in an "Add New FAQ" action.

  • CVE-2026-34729MedApr 2, 2026
    risk 0.33cvss 6.1epss 0.00

    phpMyFAQ is an open source FAQ web application. Prior to version 4.1.1, there is a stored XSS vulnerability via Regex Bypass in Filter::removeAttributes(). This issue has been patched in version 4.1.1.

  • CVE-2026-32629MedApr 2, 2026
    risk 0.33cvss 6.1epss 0.00

    phpMyFAQ is an open source FAQ web application. Prior to version 4.1.1, an unauthenticated attacker can submit a guest FAQ with an email address that is syntactically valid per RFC 5321 (quoted local part) yet contains raw HTML — for example…

  • CVE-2016-5733MedJul 3, 2016
    risk 0.33cvss 6.1epss 0.02

    Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.0.x before 4.0.10.16, 4.4.x before 4.4.15.7, and 4.6.x before 4.6.3 allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) a crafted table name that is mishandled during…

  • CVE-2016-5732MedJul 3, 2016
    risk 0.33cvss 6.1epss 0.02

    Multiple cross-site scripting (XSS) vulnerabilities in the partition-range implementation in templates/table/structure/display_partitions.phtml in the table-structure page in phpMyAdmin 4.6.x before 4.6.3 allow remote attackers to inject arbitrary web script or HTML via crafted…

Page 2 of 7