⚠ Actively exploited
Added to CISA KEV on 2025-09-29. Federal agencies required to patch by 2025-10-20. Required action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable..
CVE-2021-21311 — Server-Side Request Forgery in Adminer
Severity
7.2HIGHNVD
OSV6.1
EPSS
94.2%
top 0.08%
CISA KEV
KEV
Added 2025-09-29
Due 2025-10-20
Exploit
PoC available
Public exploit / PoC exists
Affected products
Timeline
PublishedFeb 11
KEV addedSep 29
KEV dueOct 20
CISA Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Description
Adminer is an open-source database management in a single PHP file. In adminer from version 4.0.0 and before 4.7.9 there is a server-side request forgery vulnerability. Users of Adminer versions bundling all drivers (e.g. `adminer.php`) are affected. This is fixed in version 4.7.9.
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:NExploitability: 3.9 | Impact: 2.7
Affected Packages6 packages
Also affects: Debian Linux 9.0
Patches
🔴Vulnerability Details
5💥Exploits & PoCs
1Nuclei▶
Adminer <4.7.9 - Server-Side Request Forgery