anonhaven
Ad

CVE-2026-25892

HIGH CVSS 3.1: 7.5 EPSS 2.49%
Updated Feb 10, 2026
PHP
Parameter Value
CVSS 7.5 (HIGH)
Type CWE-20 (Improper Input Validation (Неправильная проверка ввода))
Vendor PHP
Public PoC No

Adminer is open-source database management software. Adminer v5.4.1 and earlier has a version check mechanism where adminer.org sends signed version info via JavaScript postMessage, which the browser then POSTs to ?script=version. This endpoint lacks origin validation and accepts POST data from any source.

An attacker can POST version[] parameter which PHP converts to an array. On next page load, openssl_verify() receives this array instead of string and throws TypeError, returning HTTP 500 to all users. Upgrade to Adminer 5.4.2.

Attack Parameters

Attack Vector
Network
Атака возможна удалённо
Attack Complexity
Low
Легко эксплуатировать
Privileges Required
None
Права не нужны
User Interaction
None
Не нужно действие пользователя

Impact Assessment

Confidentiality
None
Нет утечки данных
Integrity
None
Нет модификации данных
Availability
High
Полный отказ в обслуживании

CVSS Vector v3.1

Weakness Type (CWE)

CWE-20 Improper Input Validation (Неправильная проверка ввода)

References 3

https://github.com/vrana/adminer/commit/21d3a3150388677b18647d68aec93b7850e457d3
security-advisories@github.com
https://github.com/vrana/adminer/releases/tag/v5.4.2
security-advisories@github.com
https://github.com/vrana/adminer/security/advisories/GHSA-q4f2-39gr-45jh
security-advisories@github.com
Share Post Share Share Share

Related Vulnerabilities

CVE-2026-28429

PHP

7.5

CVE-2026-28502

PHP

9.3

CVE-2026-28501

PHP

9.8

CVE-2026-3616

PHP

5.3

CVE-2026-3610

PHP

5.3