VulnerableCode Vulnerability Details

Search for vulnerabilities

Vulnerability details: VCID-m59a-5uea-rfa9

Essentials
Severities (34)
References (12)
Severity details (17)
Exploits (2)
EPSS
History (1)

Vulnerability ID	VCID-m59a-5uea-rfa9
Aliases	CVE-2016-5734 GHSA-rv57-479x-x4qv
Summary	phpMyAdmin Code Injection vulnerability phpMyAdmin 4.0.x before 4.0.10.16, 4.4.x before 4.4.15.7, and 4.6.x before 4.6.3 does not properly choose delimiters to prevent use of the preg_replace e (aka eval) modifier, which might allow remote attackers to execute arbitrary PHP code via a crafted string, as demonstrated by the table search-and-replace implementation.
Status	Published
Exploitability	2.0
Weighted Severity	9.0
Risk	10.0
Affected and Fixed Packages	Package Details

Weaknesses (3)

CWE-94	Improper Control of Generation of Code ('Code Injection')
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
epss	0.72916	https://api.first.org/data/v1/epss?cve=CVE-2016-5734
epss	0.72916	https://api.first.org/data/v1/epss?cve=CVE-2016-5734
epss	0.72916	https://api.first.org/data/v1/epss?cve=CVE-2016-5734
epss	0.72916	https://api.first.org/data/v1/epss?cve=CVE-2016-5734
epss	0.72916	https://api.first.org/data/v1/epss?cve=CVE-2016-5734
epss	0.72916	https://api.first.org/data/v1/epss?cve=CVE-2016-5734
epss	0.72916	https://api.first.org/data/v1/epss?cve=CVE-2016-5734
epss	0.72916	https://api.first.org/data/v1/epss?cve=CVE-2016-5734
epss	0.72916	https://api.first.org/data/v1/epss?cve=CVE-2016-5734
epss	0.72916	https://api.first.org/data/v1/epss?cve=CVE-2016-5734
epss	0.72916	https://api.first.org/data/v1/epss?cve=CVE-2016-5734
epss	0.72916	https://api.first.org/data/v1/epss?cve=CVE-2016-5734
epss	0.72916	https://api.first.org/data/v1/epss?cve=CVE-2016-5734
epss	0.72916	https://api.first.org/data/v1/epss?cve=CVE-2016-5734
epss	0.72916	https://api.first.org/data/v1/epss?cve=CVE-2016-5734
epss	0.72916	https://api.first.org/data/v1/epss?cve=CVE-2016-5734
epss	0.72916	https://api.first.org/data/v1/epss?cve=CVE-2016-5734
cvssv3.1_qr	CRITICAL	https://github.com/advisories/GHSA-rv57-479x-x4qv
cvssv3.1	9.8	https://github.com/phpmyadmin/phpmyadmin
generic_textual	CRITICAL	https://github.com/phpmyadmin/phpmyadmin
cvssv3.1	9.8	https://github.com/phpmyadmin/phpmyadmin/commit/1cc7466db3a05e95fe57a6702f41773e6829d54b
generic_textual	CRITICAL	https://github.com/phpmyadmin/phpmyadmin/commit/1cc7466db3a05e95fe57a6702f41773e6829d54b
cvssv3.1	9.8	https://github.com/phpmyadmin/phpmyadmin/commit/4bcc606225f15bac0b07780e74f667f6ac283da7
generic_textual	CRITICAL	https://github.com/phpmyadmin/phpmyadmin/commit/4bcc606225f15bac0b07780e74f667f6ac283da7
cvssv3.1	9.8	https://nvd.nist.gov/vuln/detail/CVE-2016-5734
generic_textual	CRITICAL	https://nvd.nist.gov/vuln/detail/CVE-2016-5734
cvssv3.1	9.8	https://security.gentoo.org/glsa/201701-32
generic_textual	CRITICAL	https://security.gentoo.org/glsa/201701-32
cvssv3.1	9.8	https://web.archive.org/web/20200227223418/http://www.securityfocus.com/bid/91387
generic_textual	CRITICAL	https://web.archive.org/web/20200227223418/http://www.securityfocus.com/bid/91387
cvssv3.1	9.8	https://www.exploit-db.com/exploits/40185
generic_textual	CRITICAL	https://www.exploit-db.com/exploits/40185
cvssv3.1	9.8	https://www.phpmyadmin.net/security/PMASA-2016-27
generic_textual	CRITICAL	https://www.phpmyadmin.net/security/PMASA-2016-27

Reference id	Reference type	URL
		https://api.first.org/data/v1/epss?cve=CVE-2016-5734
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5734
		https://github.com/phpmyadmin/phpmyadmin
		https://github.com/phpmyadmin/phpmyadmin/commit/1cc7466db3a05e95fe57a6702f41773e6829d54b
		https://github.com/phpmyadmin/phpmyadmin/commit/4bcc606225f15bac0b07780e74f667f6ac283da7
		https://nvd.nist.gov/vuln/detail/CVE-2016-5734
		https://security.gentoo.org/glsa/201701-32
		https://web.archive.org/web/20200227223418/http://www.securityfocus.com/bid/91387
		https://www.exploit-db.com/exploits/40185
		https://www.phpmyadmin.net/security/PMASA-2016-27
CVE-2016-5734	Exploit	https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/php/webapps/40185.py
GHSA-rv57-479x-x4qv		https://github.com/advisories/GHSA-rv57-479x-x4qv

Data source	Metasploit
Description	phpMyAdmin 4.0.x before 4.0.10.16, 4.4.x before 4.4.15.7, and 4.6.x before 4.6.3 does not properly choose delimiters to prevent use of the preg_replace (aka eval) modifier, which might allow remote attackers to execute arbitrary PHP code via a crafted string, as demonstrated by the table search-and-replace implementation.
Note	Reliability: - unknown-reliability Stability: - unknown-stability SideEffects: - unknown-side-effects
Ransomware campaign use	Unknown
Source publication date	June 23, 2016
Platform	PHP
Source URL	https://github.com/rapid7/metasploit-framework/tree/master/modules/exploits/multi/http/phpmyadmin_null_termination_exec.rb

Data source	Exploit-DB
Date added	July 29, 2016
Description	phpMyAdmin 4.6.2 - (Authenticated) Remote Code Execution
Ransomware campaign use	Unknown
Source publication date	July 29, 2016
Exploit type	webapps
Platform	php
Source update date	July 29, 2016

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/phpmyadmin/phpmyadmin

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/phpmyadmin/phpmyadmin/commit/1cc7466db3a05e95fe57a6702f41773e6829d54b

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/phpmyadmin/phpmyadmin/commit/4bcc606225f15bac0b07780e74f667f6ac283da7

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2016-5734

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://security.gentoo.org/glsa/201701-32

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://web.archive.org/web/20200227223418/http://www.securityfocus.com/bid/91387

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://www.exploit-db.com/exploits/40185

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://www.phpmyadmin.net/security/PMASA-2016-27

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.98716
EPSS Score	0.72916
Published At	July 30, 2025, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2025-07-31T09:07:25.506834+00:00	GithubOSV Importer	Import	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-rv57-479x-x4qv/GHSA-rv57-479x-x4qv.json	37.0.0