VYPR

Vendor CVEs

PhpMyAdmin

All CVEs

313 total · sorted by risk
  • CVE-2016-5731MedJul 3, 2016
    risk 0.33cvss 6.1epss 0.02

    Cross-site scripting (XSS) vulnerability in examples/openid.php in phpMyAdmin 4.0.x before 4.0.10.16, 4.4.x before 4.4.15.7, and 4.6.x before 4.6.3 allows remote attackers to inject arbitrary web script or HTML via vectors involving an OpenID error message.

  • CVE-2016-5705MedJul 3, 2016
    risk 0.33cvss 6.1epss 0.01

    Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.4.x before 4.4.15.7 and 4.6.x before 4.6.3 allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) server-privileges certificate data fields on the user privileges page, (2) an…

  • CVE-2016-5704MedJul 3, 2016
    risk 0.33cvss 6.1epss 0.02

    Cross-site scripting (XSS) vulnerability in the table-structure page in phpMyAdmin 4.6.x before 4.6.3 allows remote attackers to inject arbitrary web script or HTML via vectors involving a comment.

  • CVE-2016-5701MedJul 3, 2016
    risk 0.33cvss 6.1epss 0.02

    setup/frames/index.inc.php in phpMyAdmin 4.0.10.x before 4.0.10.16, 4.4.15.x before 4.4.15.7, and 4.6.x before 4.6.3 allows remote attackers to conduct BBCode injection attacks against HTTP sessions via a crafted URI.

  • CVE-2014-6050MedAug 28, 2018
    risk 0.31cvss 5.3epss 0.05

    phpMyFAQ before 2.8.13 allows remote attackers to bypass the CAPTCHA protection mechanism by replaying the request.

  • CVE-2014-6048MedAug 28, 2018
    risk 0.31cvss 5.3epss 0.06

    phpMyFAQ before 2.8.13 allows remote attackers to read arbitrary attachments via a direct request.

  • CVE-2014-6047MedAug 28, 2018
    risk 0.31cvss 5.3epss 0.06

    phpMyFAQ before 2.8.13 allows remote authenticated users with certain permissions to read arbitrary attachments by leveraging incorrect "download an attachment" permission checks.

  • CVE-2017-15728MedOct 22, 2017
    risk 0.31cvss 4.8epss 0.01

    In phpMyFAQ before 2.9.9, there is Stored Cross-site Scripting (XSS) via metaDescription or metaKeywords.

  • CVE-2016-4412MedDec 11, 2016
    risk 0.29cvss 4.4epss 0.01

    An issue was discovered in phpMyAdmin. A user can be tricked into following a link leading to phpMyAdmin, which after authentication redirects to another malicious site. The attacker must sniff the user's valid phpMyAdmin token. All 4.0.x versions (prior to 4.0.10.16) are…

  • CVE-2026-34974MedApr 2, 2026
    risk 0.28cvss 5.4epss 0.00

    phpMyFAQ is an open source FAQ web application. Prior to version 4.1.1, the regex-based SVG sanitizer in phpMyFAQ (SvgSanitizer.php) can be bypassed using HTML entity encoding in javascript: URLs within SVG attributes. Any user with edit_faq permission can upload a…

  • CVE-2016-6625MedDec 11, 2016
    risk 0.28cvss 4.3epss 0.01

    An issue was discovered in phpMyAdmin. An attacker can determine whether a user is logged in to phpMyAdmin. The user's session, username, and password are not compromised by this vulnerability. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x…

  • CVE-2016-6610MedDec 11, 2016
    risk 0.28cvss 4.3epss 0.01

    A full path disclosure vulnerability was discovered in phpMyAdmin where a user can trigger a particular error in the export mechanism to discover the full path of phpMyAdmin on the disk. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions…

  • CVE-2016-5730MedJul 3, 2016
    risk 0.28cvss 5.3epss 0.03

    phpMyAdmin 4.0.x before 4.0.10.16, 4.4.x before 4.4.15.7, and 4.6.x before 4.6.3 allows remote attackers to obtain sensitive information via vectors involving (1) an array value to FormDisplay.php, (2) incorrect data to validate.php, (3) unexpected data to Validator.php, (4) a…

  • CVE-2016-2559MedMar 1, 2016
    risk 0.28cvss 5.4epss 0.02

    Cross-site scripting (XSS) vulnerability in the format function in libraries/sql-parser/src/Utils/Error.php in the SQL parser in phpMyAdmin 4.5.x before 4.5.5.1 allows remote authenticated users to inject arbitrary web script or HTML via a crafted query.

  • CVE-2016-2045MedFeb 20, 2016
    risk 0.28cvss 5.4epss 0.02

    Cross-site scripting (XSS) vulnerability in the SQL editor in phpMyAdmin 4.5.x before 4.5.4 allows remote authenticated users to inject arbitrary web script or HTML via a SQL query that triggers JSON data in a response.

  • CVE-2016-2044MedFeb 20, 2016
    risk 0.28cvss 5.3epss 0.02

    libraries/sql-parser/autoload.php in the SQL parser in phpMyAdmin 4.5.x before 4.5.4 allows remote attackers to obtain sensitive information via a crafted request, which reveals the full path in an error message.

  • CVE-2016-2043MedFeb 20, 2016
    risk 0.28cvss 5.4epss 0.01

    Cross-site scripting (XSS) vulnerability in the goToFinish1NF function in js/normalization.js in phpMyAdmin 4.4.x before 4.4.15.3 and 4.5.x before 4.5.4 allows remote authenticated users to inject arbitrary web script or HTML via a table name to the normalization page.

  • CVE-2016-2042MedFeb 20, 2016
    risk 0.28cvss 5.3epss 0.02

    phpMyAdmin 4.4.x before 4.4.15.3 and 4.5.x before 4.5.4 allows remote attackers to obtain sensitive information via a crafted request to (1) libraries/phpseclib/Crypt/AES.php or (2) libraries/phpseclib/Crypt/Rijndael.php, which reveals the full path in an error message.

  • CVE-2016-2040MedFeb 20, 2016
    risk 0.28cvss 5.4epss 0.02

    Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.0.x before 4.0.10.13, 4.4.x before 4.4.15.3, and 4.5.x before 4.5.4 allow remote authenticated users to inject arbitrary web script or HTML via a (1) table name, (2) SET value, (3) search query, or (4) hostname…

  • CVE-2016-2039MedFeb 20, 2016
    risk 0.28cvss 5.3epss 0.02

    libraries/session.inc.php in phpMyAdmin 4.0.x before 4.0.10.13, 4.4.x before 4.4.15.3, and 4.5.x before 4.5.4 does not properly generate CSRF token values, which allows remote attackers to bypass intended access restrictions by predicting a value.

  • CVE-2016-2038MedFeb 20, 2016
    risk 0.28cvss 5.3epss 0.03

    phpMyAdmin 4.0.x before 4.0.10.13, 4.4.x before 4.4.15.3, and 4.5.x before 4.5.4 allows remote attackers to obtain sensitive information via a crafted request, which reveals the full path in an error message.

  • CVE-2015-8669MedDec 26, 2015
    risk 0.28cvss 5.3epss 0.02

    libraries/config/messages.inc.php in phpMyAdmin 4.0.x before 4.0.10.12, 4.4.x before 4.4.15.2, and 4.5.x before 4.5.3.1 allows remote attackers to obtain sensitive information via a crafted request, which reveals the full path in an error message.

  • CVE-2016-5702LowJul 3, 2016
    risk 0.17cvss 3.7epss 0.02

    phpMyAdmin 4.6.x before 4.6.3, when the environment lacks a PHP_SELF value, allows remote attackers to conduct cookie-attribute injection attacks via a crafted URI.

  • CVE-2014-6049LowAug 28, 2018
    risk 0.14cvss 2.7epss 0.03

    phpMyFAQ before 2.8.13 allows remote authenticated users with admin privileges to bypass authorization via a crafted instance ID parameter.

  • CVE-2026-48488LowJun 8, 2026
    risk 0.11cvss epss 0.00

    phpMyFAQ is an open source FAQ web application. Prior to version 4.1.4, attachment passwords are hashed using SHA-1, a cryptographically broken algorithm. SHA-1 has been vulnerable to collision attacks since 2017 (SHAttered). Version 4.1.4 fixes the issue.

  • CVE-2012-5159Sep 25, 2012
    risk 0.09cvss epss 0.75

    phpMyAdmin 3.5.2.2, as distributed by the cdnetworks-kr-1 mirror during an unspecified time frame in 2012, contains an externally introduced modification (Trojan Horse) in server_sync.php, which allows remote attackers to execute arbitrary PHP code via an eval injection attack.

  • CVE-2019-6799Jan 26, 2019
    risk 0.06cvss epss 0.16

    An issue was discovered in phpMyAdmin before 4.8.5. When the AllowArbitraryServer configuration setting is set to true, with the use of a rogue MySQL server, an attacker can read any file on the server that the web server's user can access. This is related to the…

  • CVE-2011-4825Dec 15, 2011
    risk 0.06cvss epss 0.41

    Static code injection vulnerability in inc/function.base.php in Ajax File and Image Manager before 1.1, as used in tinymce before 1.4.2, phpMyFAQ 2.6 before 2.6.19 and 2.7 before 2.7.1, and possibly other products, allows remote attackers to inject arbitrary PHP code into…

  • CVE-2012-5469Dec 20, 2012
    risk 0.05cvss epss 0.24

    The Portable phpMyAdmin plugin before 1.3.1 for WordPress allows remote attackers to bypass authentication and obtain phpMyAdmin console access via a direct request to wp-content/plugins/portable-phpmyadmin/wp-pma-mod.

  • CVE-2009-1285Apr 16, 2009
    risk 0.04cvss epss 0.11

    Static code injection vulnerability in the getConfigFile function in setup/lib/ConfigFile.class.php in phpMyAdmin 3.x before 3.1.3.2 allows remote attackers to inject arbitrary PHP code into configuration files.

  • CVE-2008-4096Sep 18, 2008
    risk 0.04cvss epss 0.11

    libraries/database_interface.lib.php in phpMyAdmin before 2.11.9.1 allows remote authenticated users to execute arbitrary code via a request to server_databases.php with a sort_by parameter containing PHP sequences, which are processed by create_function.

  • CVE-2005-3299Oct 23, 2005
    risk 0.04cvss epss 0.16

    PHP file inclusion vulnerability in grab_globals.lib.php in phpMyAdmin 2.6.4 and 2.6.4-pl1 allows remote attackers to include local files via the $__redirect parameter, possibly involving the subform array.

  • CVE-2005-3048Sep 24, 2005
    risk 0.04cvss epss 0.08

    Directory traversal vulnerability in index.php in PhpMyFaq 1.5.1 allows remote attackers to read arbitrary files or include arbitrary PHP files via a .. (dot dot) in the LANGCODE parameter, which also allows direct code injection via the User Agent field in a request packet,…

  • CVE-2004-1147Jan 10, 2005
    risk 0.04cvss epss 0.12

    phpMyAdmin 2.6.0-pl2, and other versions before 2.6.1, with external transformations enabled, allows remote attackers to execute arbitrary commands via shell metacharacters.

  • CVE-2004-2631Dec 31, 2004
    risk 0.04cvss epss 0.09

    Eval injection vulnerability in left.php in phpMyAdmin 2.5.1 up to 2.5.7, when LeftFrameLight is FALSE, allows remote attackers to execute arbitrary PHP code via a crafted table name.

  • CVE-2004-0129Mar 3, 2004
    risk 0.04cvss epss 0.09

    Directory traversal vulnerability in export.php in phpMyAdmin 2.5.5 and earlier allows remote attackers to read arbitrary files via .. (dot dot) sequences in the what parameter.

  • CVE-2013-3241Apr 26, 2013
    risk 0.03cvss epss 0.04

    export.php (aka the export script) in phpMyAdmin 4.x before 4.0.0-rc3 overwrites global variables on the basis of the contents of the POST superglobal array, which allows remote authenticated users to inject values via a crafted request.

  • CVE-2013-3240Apr 26, 2013
    risk 0.03cvss epss 0.05

    Directory traversal vulnerability in the Export feature in phpMyAdmin 4.x before 4.0.0-rc3 allows remote authenticated users to read arbitrary files or possibly have unspecified other impact via a parameter that specifies a crafted export type.

  • CVE-2010-4480Dec 8, 2010
    risk 0.03cvss epss 0.06

    error.php in PhpMyAdmin 3.3.8.1, and other versions before 3.4.0-beta1, allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted BBcode tag containing "@" characters, as demonstrated using "[a@url@page]".

  • CVE-2008-5621Dec 17, 2008
    risk 0.03cvss epss 0.02

    Cross-site request forgery (CSRF) vulnerability in phpMyAdmin 2.11.x before 2.11.9.4 and 3.x before 3.1.1.0 allows remote attackers to perform unauthorized actions as the administrator via a link or IMG tag to tbl_structure.php with a modified table parameter. NOTE: other…

  • CVE-2008-4775Oct 28, 2008
    risk 0.03cvss epss 0.06

    Cross-site scripting (XSS) vulnerability in pmd_pdf.php in phpMyAdmin 3.0.0, and possibly other versions including 2.11.9.2 and 3.0.1, when register_globals is enabled, allows remote attackers to inject arbitrary web script or HTML via the db parameter, a different vector than…

  • CVE-2007-5589Oct 19, 2007
    risk 0.03cvss epss 0.03

    Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin before 2.11.1.2 allow remote attackers to inject arbitrary web script or HTML via certain input available in (1) PHP_SELF in (a) server_status.php, and (b) grab_globals.lib.php, (c)…

  • CVE-2007-5386Oct 12, 2007
    risk 0.03cvss epss 0.03

    Cross-site scripting (XSS) vulnerability in scripts/setup.php in phpMyAdmin 2.11.1, when accessed by a browser that does not URL-encode requests, allows remote attackers to inject arbitrary web script or HTML via the query string.

  • CVE-2006-6943Jan 19, 2007
    risk 0.03cvss epss 0.04

    PhpMyAdmin before 2.9.1.1 allows remote attackers to obtain the full server path via direct requests to (a) scripts/check_lang.php and (b) themes/darkblue_orange/layout.inc.php; and via the (1) lang[], (2) target[], (3) db[], (4) goto[], (5) table[], and (6) tbl_group[] array…

  • CVE-2006-6942Jan 19, 2007
    risk 0.03cvss epss 0.03

    Multiple cross-site scripting (XSS) vulnerabilities in PhpMyAdmin before 2.9.1.1 allow remote attackers to inject arbitrary HTML or web script via (1) a comment for a table name, as exploited through (a) db_operations.php, (2) the db parameter to (b) db_create.php, (3) the…

  • CVE-2006-6912Dec 31, 2006
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in phpMyFAQ 1.6.7 and earlier allows remote attackers to execute arbitrary SQL commands via unspecified vectors, possibly the userfile or filename parameter.

  • CVE-2006-1803Apr 18, 2006
    risk 0.03cvss epss 0.03

    Cross-site scripting (XSS) vulnerability in sql.php in phpMyAdmin 2.7.0-pl1 allows remote attackers to inject arbitrary web script or HTML via the sql_query parameter.

  • CVE-2006-1258Mar 19, 2006
    risk 0.03cvss epss 0.03

    Cross-site scripting (XSS) vulnerability in phpMyAdmin 2.8.0.1 allows remote attackers to inject arbitrary web script or HTML via the set_theme parameter.

  • CVE-2005-3301Oct 24, 2005
    risk 0.03cvss epss 0.06

    Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin before 2.6.4-pl3 allow remote attackers to inject arbitrary web script or HTML via certain arguments to (1) left.php, (2) queryframe.php, or (3) server_databases.php.

  • CVE-2005-2869Sep 8, 2005
    risk 0.03cvss epss 0.05

    Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin before 2.6.4 allow remote attackers to inject arbitrary web script or HTML via (1) the Username to libraries/auth/cookie.auth.lib.php or (2) the error parameter to error.php.

Page 3 of 7