Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-z76m-em7w-5qf6
Vulnerability ID VCID-z76m-em7w-5qf6
Aliases CVE-2009-1151
Summary Static code injection vulnerability in setup.php in phpMyAdmin 2.11.x before 2.11.9.5 and 3.x before 3.1.3.1 allows remote attackers to inject arbitrary PHP code into a configuration file via the save action.
Status Published
Exploitability 2.0
Weighted Severity 8.8
Risk 10.0
Affected and Fixed Packages Package Details
Weaknesses (0)
There are no known CWE.
System Score Found at
cvssv3.1 9.8 http://labs.neohapsis.com/2009/04/06/about-cve-2009-1151/
ssvc Act http://labs.neohapsis.com/2009/04/06/about-cve-2009-1151/
cvssv3.1 9.8 http://lists.opensuse.org/opensuse-security-announce/2009-04/msg00003.html
ssvc Act http://lists.opensuse.org/opensuse-security-announce/2009-04/msg00003.html
cvssv3.1 9.8 http://phpmyadmin.svn.sourceforge.net/viewvc/phpmyadmin/branches/MAINT_2_11_9/phpMyAdmin/scripts/setup.php?r1=11514&r2=12301&pathrev=12301
ssvc Act http://phpmyadmin.svn.sourceforge.net/viewvc/phpmyadmin/branches/MAINT_2_11_9/phpMyAdmin/scripts/setup.php?r1=11514&r2=12301&pathrev=12301
epss 0.93271 https://api.first.org/data/v1/epss?cve=CVE-2009-1151
epss 0.93271 https://api.first.org/data/v1/epss?cve=CVE-2009-1151
cvssv3.1 9.8 http://secunia.com/advisories/34430
ssvc Act http://secunia.com/advisories/34430
cvssv3.1 9.8 http://secunia.com/advisories/34642
ssvc Act http://secunia.com/advisories/34642
cvssv3.1 9.8 http://secunia.com/advisories/35585
ssvc Act http://secunia.com/advisories/35585
cvssv3.1 9.8 http://secunia.com/advisories/35635
ssvc Act http://secunia.com/advisories/35635
cvssv3.1 9.8 http://security.gentoo.org/glsa/glsa-200906-03.xml
ssvc Act http://security.gentoo.org/glsa/glsa-200906-03.xml
cvssv3.1 9.8 https://www.exploit-db.com/exploits/8921
ssvc Act https://www.exploit-db.com/exploits/8921
cvssv3.1 9.8 http://www.debian.org/security/2009/dsa-1824
ssvc Act http://www.debian.org/security/2009/dsa-1824
cvssv3.1 9.8 http://www.gnucitizen.org/blog/cve-2009-1151-phpmyadmin-remote-code-execution-proof-of-concept/
ssvc Act http://www.gnucitizen.org/blog/cve-2009-1151-phpmyadmin-remote-code-execution-proof-of-concept/
cvssv3.1 9.8 http://www.mandriva.com/security/advisories?name=MDVSA-2009:115
ssvc Act http://www.mandriva.com/security/advisories?name=MDVSA-2009:115
cvssv3.1 9.8 http://www.phpmyadmin.net/home_page/security/PMASA-2009-3.php
ssvc Act http://www.phpmyadmin.net/home_page/security/PMASA-2009-3.php
cvssv3.1 9.8 http://www.securityfocus.com/archive/1/504191/100/0/threaded
ssvc Act http://www.securityfocus.com/archive/1/504191/100/0/threaded
cvssv3.1 9.8 http://www.securityfocus.com/bid/34236
ssvc Act http://www.securityfocus.com/bid/34236
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2009-1151.json
https://api.first.org/data/v1/epss?cve=CVE-2009-1151
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1151
34236 http://www.securityfocus.com/bid/34236
34430 http://secunia.com/advisories/34430
34642 http://secunia.com/advisories/34642
35585 http://secunia.com/advisories/35585
35635 http://secunia.com/advisories/35635
492066 https://bugzilla.redhat.com/show_bug.cgi?id=492066
8921 https://www.exploit-db.com/exploits/8921
about-cve-2009-1151 http://labs.neohapsis.com/2009/04/06/about-cve-2009-1151/
advisories?name=MDVSA-2009:115 http://www.mandriva.com/security/advisories?name=MDVSA-2009:115
CVE-2009-1151;OSVDB-53076 Exploit https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/php/webapps/16913.rb
CVE-2009-1151;OSVDB-53076 Exploit https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/php/webapps/8992.php
cve-2009-1151-phpmyadmin-remote-code-execution-proof-of-concept http://www.gnucitizen.org/blog/cve-2009-1151-phpmyadmin-remote-code-execution-proof-of-concept/
dsa-1824 http://www.debian.org/security/2009/dsa-1824
GLSA-200906-03 https://security.gentoo.org/glsa/200906-03
glsa-200906-03.xml http://security.gentoo.org/glsa/glsa-200906-03.xml
OSVDB-53076;CVE-2009-1151 Exploit https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/php/webapps/8921.sh
PMASA-2009-3.php http://www.phpmyadmin.net/home_page/security/PMASA-2009-3.php
setup.php?r1=11514&r2=12301&pathrev=12301 http://phpmyadmin.svn.sourceforge.net/viewvc/phpmyadmin/branches/MAINT_2_11_9/phpMyAdmin/scripts/setup.php?r1=11514&r2=12301&pathrev=12301
threaded http://www.securityfocus.com/archive/1/504191/100/0/threaded
Data source Metasploit
Description This module exploits a vulnerability in phpMyAdmin's setup feature which allows an attacker to inject arbitrary PHP code into a configuration file. The original advisory says the vulnerability is present in phpMyAdmin versions 2.11.x <= 2.11.9.4 and 3.x <= 3.1.3. There was a follow up vulnerability as the patch was incomplete, affecting versions 3.x <= 3.1.3.1. The file where our payload is written (phpMyAdmin/config/config.inc.php) is not directly used by the system, so it may be a good idea to either delete it or copy the running config (phpMyAdmin/config.inc.php) over it after successful exploitation.
Note 
Reliability:
  - repeatable-session
Stability:
  - crash-safe
SideEffects:
  - config-changes
Ransomware campaign use Unknown
Source publication date March 24, 2009
Platform PHP
Source URL https://github.com/rapid7/metasploit-framework/tree/master/modules/exploits/unix/webapp/phpmyadmin_config.rb
Data source Exploit-DB
Date added July 3, 2010
Description phpMyAdmin - Config File Code Injection (Metasploit)
Ransomware campaign use Known
Source publication date July 3, 2010
Exploit type webapps
Platform php
Source update date March 6, 2011
Data source KEV
Date added March 25, 2022
Description Setup script used to generate configuration can be fooled using a crafted POST request to include arbitrary PHP code in generated configuration file.
Required action Apply updates per vendor instructions.
Due date April 15, 2022
Note 
https://nvd.nist.gov/vuln/detail/CVE-2009-1151
Ransomware campaign use Unknown
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at http://labs.neohapsis.com/2009/04/06/about-cve-2009-1151/
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2025-02-10T19:07:41Z/ Found at http://labs.neohapsis.com/2009/04/06/about-cve-2009-1151/
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at http://lists.opensuse.org/opensuse-security-announce/2009-04/msg00003.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2025-02-10T19:07:41Z/ Found at http://lists.opensuse.org/opensuse-security-announce/2009-04/msg00003.html
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at http://phpmyadmin.svn.sourceforge.net/viewvc/phpmyadmin/branches/MAINT_2_11_9/phpMyAdmin/scripts/setup.php?r1=11514&r2=12301&pathrev=12301
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2025-02-10T19:07:41Z/ Found at http://phpmyadmin.svn.sourceforge.net/viewvc/phpmyadmin/branches/MAINT_2_11_9/phpMyAdmin/scripts/setup.php?r1=11514&r2=12301&pathrev=12301
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at http://secunia.com/advisories/34430
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2025-02-10T19:07:41Z/ Found at http://secunia.com/advisories/34430
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at http://secunia.com/advisories/34642
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2025-02-10T19:07:41Z/ Found at http://secunia.com/advisories/34642
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at http://secunia.com/advisories/35585
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2025-02-10T19:07:41Z/ Found at http://secunia.com/advisories/35585
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at http://secunia.com/advisories/35635
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2025-02-10T19:07:41Z/ Found at http://secunia.com/advisories/35635
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at http://security.gentoo.org/glsa/glsa-200906-03.xml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2025-02-10T19:07:41Z/ Found at http://security.gentoo.org/glsa/glsa-200906-03.xml
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://www.exploit-db.com/exploits/8921
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2025-02-10T19:07:41Z/ Found at https://www.exploit-db.com/exploits/8921
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at http://www.debian.org/security/2009/dsa-1824
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2025-02-10T19:07:41Z/ Found at http://www.debian.org/security/2009/dsa-1824
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at http://www.gnucitizen.org/blog/cve-2009-1151-phpmyadmin-remote-code-execution-proof-of-concept/
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2025-02-10T19:07:41Z/ Found at http://www.gnucitizen.org/blog/cve-2009-1151-phpmyadmin-remote-code-execution-proof-of-concept/
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at http://www.mandriva.com/security/advisories?name=MDVSA-2009:115
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2025-02-10T19:07:41Z/ Found at http://www.mandriva.com/security/advisories?name=MDVSA-2009:115
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at http://www.phpmyadmin.net/home_page/security/PMASA-2009-3.php
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2025-02-10T19:07:41Z/ Found at http://www.phpmyadmin.net/home_page/security/PMASA-2009-3.php
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at http://www.securityfocus.com/archive/1/504191/100/0/threaded
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2025-02-10T19:07:41Z/ Found at http://www.securityfocus.com/archive/1/504191/100/0/threaded
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at http://www.securityfocus.com/bid/34236
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2025-02-10T19:07:41Z/ Found at http://www.securityfocus.com/bid/34236
Exploit Prediction Scoring System (EPSS)
Percentile 0.99814
EPSS Score 0.93271
Published At June 6, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-04T17:07:09.889246+00:00 Debian Importer Import https://security-tracker.debian.org/tracker/data/json 38.6.0