Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2021-29625Cross-site Scripting in Adminer

CWE-79Cross-site Scripting9 documents7 sources
Severity
6.1MEDIUMNVD
EPSS
29.5%
top 3.38%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
3
AdminerVrana AdminerDebian Adminer
Timeline
PublishedMay 19
Latest updateJun 3

Description

Adminer is open-source database management software. A cross-site scripting vulnerability in Adminer versions 4.6.1 to 4.8.0 affects users of MySQL, MariaDB, PgSQL and SQLite. XSS is in most cases prevented by strict CSP in all modern browsers. The only exception is when Adminer is using a `pdo_` extension to communicate with the database (it is used if the native extensions are not enabled). In browsers without CSP, Adminer versions 4.6.1 to 4.8.0 are affected. The vulnerability is patched in v

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages6 packages

Packagistvrana/adminer4.7.84.8.1
debiandebian/adminer< adminer 4.7.9-2 (bookworm)
NVDadminer/adminer4.6.14.8.1
Debianadminer/adminer< 4.7.9-2+3
Ubuntuadminer/adminer< 4.2.1-1ubuntu1+esm1+2

Patches

Patch: github.comPatch: github.comPatch: github.com

🔴Vulnerability Details

4
OSV
adminer vulnerabilities2022-06-03
OSV
XSS in doc_link2022-03-18
GHSA
XSS in doc_link2022-03-18
OSV
CVE-2021-29625: Adminer is open-source database management software2021-05-19

💥Exploits & PoCs

1
Nuclei
Adminer <=4.8.0 - Cross-Site Scripting

📋Vendor Advisories

2
Ubuntu
Adminer vulnerabilities2022-06-03
Debian
CVE-2021-29625: adminer - Adminer is open-source database management software. A cross-site scripting vuln...2021

🕵️Threat Intelligence

1
Greynoiseio
NoiseLetter September 2025