CVE-2026-25892
published 2026-02-09CVE-2026-25892: Adminer is open-source database management software. Adminer v5.4.1 and earlier has a version check mechanism where adminer.org sends signed version info via…
PriorityP354high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EXPLOIT
EPSS
1.59%
72.5th percentile
Adminer is open-source database management software. Adminer v5.4.1 and earlier has a version check mechanism where adminer.org sends signed version info via JavaScript postMessage, which the browser then POSTs to ?script=version. This endpoint lacks origin validation and accepts POST data from any source. An attacker can POST version[] parameter which PHP converts to an array. On next page load, openssl_verify() receives this array instead of string and throws TypeError, returning HTTP 500 to all users. Upgrade to Adminer 5.4.2.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| adminer | adminer | >= 4.6.2 < 5.4.2 | 5.4.2 |
| debian | adminer | — | — |
| vrana | adminer | — | — |
| vrana | adminer | >= 4.6.2 < 5.4.2 | 5.4.2 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
osv7.5HIGH
vendor_debian7.5LOW
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Adminer has an Unauthenticated Persistent DoS via Array Injection in ?script=version Endpoint
ghsa·2026-02-10
CVE-2026-25892 [HIGH] CWE-20 Adminer has an Unauthenticated Persistent DoS via Array Injection in ?script=version Endpoint
Adminer has an Unauthenticated Persistent DoS via Array Injection in ?script=version Endpoint
### Summary
Adminer v5.4.1 has a version check mechanism where `adminer.org` sends signed version info via JavaScript postMessage, which the browser then POSTs to `?script=version`. This endpoint lacks origin validation and accepts POST data from any source. An attacker can POST `version[]` parameter which PHP converts to an array. On next page load, `openssl_verify()` receives this array instead of string and throws `TypeError`, returning HTTP 500 to all users.
### Fix
Upgrade to Adminer 5.4.2.
**Mitigation** (if you can't upgrade): Make file `adminer.version` in temp directory (usually the value of [upload_tmp_dir](https://www.php.net/ini.core#ini.upload-tmp-dir)) unwritable by web server.
OSV
Adminer has an Unauthenticated Persistent DoS via Array Injection in ?script=version Endpoint
osv·2026-02-10
CVE-2026-25892 [HIGH] Adminer has an Unauthenticated Persistent DoS via Array Injection in ?script=version Endpoint
Adminer has an Unauthenticated Persistent DoS via Array Injection in ?script=version Endpoint
### Summary
Adminer v5.4.1 has a version check mechanism where `adminer.org` sends signed version info via JavaScript postMessage, which the browser then POSTs to `?script=version`. This endpoint lacks origin validation and accepts POST data from any source. An attacker can POST `version[]` parameter which PHP converts to an array. On next page load, `openssl_verify()` receives this array instead of string and throws `TypeError`, returning HTTP 500 to all users.
### Fix
Upgrade to Adminer 5.4.2.
**Mitigation** (if you can't upgrade): Make file `adminer.version` in temp directory (usually the value of [upload_tmp_dir](https://www.php.net/ini.core#ini.upload-tmp-dir)) unwritable by web server.
OSV
CVE-2026-25892: Adminer is open-source database management software
osv·2026-02-09·CVSS 7.5
CVE-2026-25892 [HIGH] CVE-2026-25892: Adminer is open-source database management software
Adminer is open-source database management software. Adminer v5.4.1 and earlier has a version check mechanism where adminer.org sends signed version info via JavaScript postMessage, which the browser then POSTs to ?script=version. This endpoint lacks origin validation and accepts POST data from any source. An attacker can POST version[] parameter which PHP converts to an array. On next page load, openssl_verify() receives this array instead of string and throws TypeError, returning HTTP 500 to all users. Upgrade to Adminer 5.4.2.
Debian
CVE-2026-25892: adminer - Adminer is open-source database management software. Adminer v5.4.1 and earlier ...
vendor_debian·2026·CVSS 7.5
CVE-2026-25892 [HIGH] CVE-2026-25892: adminer - Adminer is open-source database management software. Adminer v5.4.1 and earlier ...
Adminer is open-source database management software. Adminer v5.4.1 and earlier has a version check mechanism where adminer.org sends signed version info via JavaScript postMessage, which the browser then POSTs to ?script=version. This endpoint lacks origin validation and accepts POST data from any source. An attacker can POST version[] parameter which PHP converts to an array. On next page load, openssl_verify() receives this array instead of string and throws TypeError, returning HTTP 500 to all users. Upgrade to Adminer 5.4.2.
Scope: local
bookworm: resolved
bullseye: resolved
forky: resolved
sid: resolved
trixie: resolved
No detection rules found.
Nuclei
Adminer 4.6.2 - 5.4.1 Unauthenticated Persistent DoS
nuclei·CVSS 7.5
CVE-2026-25892 [HIGH] Adminer 4.6.2 - 5.4.1 Unauthenticated Persistent DoS
Adminer 4.6.2 - 5.4.1 Unauthenticated Persistent DoS
Adminer ([0-9.]+)'
- 'amp;version=([0-9.]+)'
matchers-condition: and
matchers:
- type: word
words:
- "Adminer"
- "Adminer"
condition: or
- type: status
status:
- 200
- type: dsl
dsl:
- 'compare_versions(version, ">=4.6.2", "<=5.4.1")'
# digest: 4b0a00483046022100dce0e0522f34787f6f96473fad4853f23734425f7d69268303a0ea791735eda1022100b4ad05c7d29c0881e41fe9b0dedcc7c3ec31ac29696d5a5782c4b8da09cf5877:922c64590222798bb761d5b6d8e72950
2026-02-09
Published