CVE-2026-25892
HIGH
GHSA-q4f2-39gr-45jh
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
4Description
Adminer is open-source database management software. Adminer v5.4.1 and earlier has a version check mechanism where adminer.org sends signed version info via JavaScript postMessage, which the browser then POSTs to ?script=version. This endpoint lacks origin validation and accepts POST data from any source. An attacker can POST version[] parameter which PHP converts to an array. On next page load, openssl_verify() receives this array instead of string and throws TypeError, returning HTTP 500 to all users. Upgrade to Adminer 5.4.2.
Analysis
Adminer versions 5.4.1 and earlier suffer from a post-message validation bypass that allows remote attackers to trigger denial of service affecting all users. By sending a crafted POST request with array parameters to the version endpoint, an attacker can cause openssl_verify() to receive malformed input, resulting in a TypeError that crashes the application and returns HTTP 500 errors. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Inventory all systems running Adminer and identify instances running v5.4.1 or earlier. Within 7 days: Apply available patches to all affected Adminer installations and validate successful upgrades. …
Sign in for detailed remediation steps.
Priority Score
Vendor Status
Share
External POC / Exploit Code
Leaving vuln.today