Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2026-25892Improper Input Validation in Adminer

CWE-20Improper Input Validation7 documents6 sources
Severity
7.5HIGHNVD
EPSS
4.3%
top 11.12%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
3
AdminerVrana AdminerDebian Adminer
Timeline
PublishedFeb 9
Latest updateFeb 10

Description

Adminer is open-source database management software. Adminer v5.4.1 and earlier has a version check mechanism where adminer.org sends signed version info via JavaScript postMessage, which the browser then POSTs to ?script=version. This endpoint lacks origin validation and accepts POST data from any source. An attacker can POST version[] parameter which PHP converts to an array. On next page load, openssl_verify() receives this array instead of string and throws TypeError, returning HTTP 500 to a

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

Packagistvrana/adminer4.6.25.4.2
NVDadminer/adminer4.6.25.4.2
CVEListV5vrana/adminer>= 4.6.2, < 5.4.2

Patches

Patch: github.com

🔴Vulnerability Details

3
GHSA
Adminer has an Unauthenticated Persistent DoS via Array Injection in ?script=version Endpoint2026-02-10
OSV
Adminer has an Unauthenticated Persistent DoS via Array Injection in ?script=version Endpoint2026-02-10
OSV
CVE-2026-25892: Adminer is open-source database management software2026-02-09

💥Exploits & PoCs

1
Nuclei
Adminer 4.6.2 - 5.4.1 Unauthenticated Persistent DoS

📋Vendor Advisories

1
Debian
CVE-2026-25892: adminer - Adminer is open-source database management software. Adminer v5.4.1 and earlier ...2026

🕵️Threat Intelligence

1
Wiz
CVE-2026-25892 Impact, Exploitability, and Mitigation Steps | Wiz