Vrana Adminer vulnerabilities

CVE-2026-25892 [HIGH] CWE-20 CVE-2026-25892: Adminer is open-source database management software. Adminer v5.4.1 and earlier has a version check Adminer is open-source database management software. Adminer v5.4.1 and earlier has a version check mechanism where adminer.org sends signed version info via JavaScript postMessage, which the browser then POSTs to ?script=version. This endpoint lacks origin validation and accepts POST data from any source. An attacker can POST version[] parameter which

CVE-2025-43960 [HIGH] CWE-502 Adminer PHP Object Injection issue leads to Denial of Service Adminer PHP Object Injection issue leads to Denial of Service Adminer 4.8.1, when using Monolog for logging, allows a Denial of Service (memory consumption) via a crafted serialized payload (e.g., using s:1000000000), leading to a PHP Object Injection issue. Remote, unauthenticated attackers can trigger this by sending a malicious serialized object, which forces excessive memory usage, rendering Adminer’

CVE-2021-43008 [HIGH] CWE-552 Files or Directories Accessible to External Parties in Adminer Files or Directories Accessible to External Parties in Adminer Improper Access Control in Adminer versions 1.12.0 to 4.6.2 (fixed in version 4.6.3) allows an attacker to achieve Arbitrary File Read on the remote server by requesting the Adminer to connect to a remote MySQL database.

CVE-2021-29625 [MEDIUM] CWE-79 CVE-2021-29625: Adminer is open-source database management software. A cross-site scripting vulnerability in Adminer Adminer is open-source database management software. A cross-site scripting vulnerability in Adminer versions 4.6.1 to 4.8.0 affects users of MySQL, MariaDB, PgSQL and SQLite. XSS is in most cases prevented by strict CSP in all modern browsers. The only exception is when Adminer is using a `pdo_` extension to communicate with the database (it is used

CVE-2021-21311 [HIGH] CWE-918 CVE-2021-21311: Adminer is an open-source database management in a single PHP file. In adminer from version 4.0.0 an Adminer is an open-source database management in a single PHP file. In adminer from version 4.0.0 and before 4.7.9 there is a server-side request forgery vulnerability. Users of Adminer versions bundling all drivers (e.g. `adminer.php`) are affected. This is fixed in version 4.7.9.

CVE-2020-35572 [MEDIUM] CWE-79 vrana/adminer via XSS in the history parameter in SQL command vrana/adminer via XSS in the history parameter in SQL command ### Impact Users of Adminer versions supporting SQL command (most versions, e.g. MySQL) using browsers not encoding URL parameters before sending to server (likely Edge, not Chrome, not Firefox) are affected. ### Patches Patched by 5c395afc, included in version [4.7.9](https://github.com/vrana/adminer/releases/tag/v4.7.9). ### Workarounds U

CVE-2018-7667 [MEDIUM] CWE-918 vrana/adminer vulnerable to SSRF by connecting to privileged ports vrana/adminer vulnerable to SSRF by connecting to privileged ports ### Impact All users are affected. ### Patches * Unsuccessfully patched by 0fae40fb, included in version [4.4.0](https://github.com/vrana/adminer/releases/tag/v4.4.0). * Patched by 35bfaa75, included in version [4.7.8](https://github.com/vrana/adminer/releases/tag/v4.7.8). ### Workarounds Protect access to Adminer also by other me