adminer CVE Vulnerabilities & Metrics

Focus on adminer vulnerabilities and metrics.

Last updated: 25 Nov 2025, 23:25 UTC

About adminer Security Exposure

This page consolidates all known Common Vulnerabilities and Exposures (CVEs) associated with adminer. We track both calendar-based metrics (using fixed periods) and rolling metrics (using gliding windows) to give you a comprehensive view of security trends and risk evolution. Use these insights to assess risk and plan your patching strategy.

For a broader perspective on cybersecurity threats, explore the comprehensive list of CVEs by vendor and product. Stay updated on critical vulnerabilities affecting major software and hardware providers.

Global CVE Overview

Total adminer CVEs: 6
Earliest CVE date: 05 Mar 2018, 07:29 UTC
Latest CVE date: 25 Aug 2025, 14:15 UTC

Latest CVE reference: CVE-2025-43960

Rolling Stats

30-day Count (Rolling): 0
365-day Count (Rolling): 1

Calendar-based Variation

Calendar-based Variation compares a fixed calendar period (e.g., this month versus the same month last year), while Rolling Growth Rate uses a continuous window (e.g., last 30 days versus the previous 30 days) to capture trends independent of calendar boundaries.

Variations & Growth

Month Variation (Calendar): 0%
Year Variation (Calendar): 0%

Month Growth Rate (30-day Rolling): 0.0%
Year Growth Rate (365-day Rolling): 0.0%

Monthly CVE Trends (current vs previous Year)

Annual CVE Trends (Last 20 Years)

Critical adminer CVEs (CVSS ≥ 9) Over 20 Years

CVSS Stats

Average CVSS: 4.58

Max CVSS: 7.5

Critical CVEs (≥9): 0

CVSS Range vs. Count

Range	Count
0.0-3.9	1
4.0-6.9	4
7.0-8.9	1
9.0-10.0	0

CVSS Distribution Chart

Top 5 Highest CVSS adminer CVEs

These are the five CVEs with the highest CVSS scores for adminer, sorted by severity first and recency.

CVE-2018-7667 adminer Published on 05 Mar 2018, 07:29 UTC (CVSS: 7.5)
Adminer through 4.3.1 has SSRF via the server parameter.
CVE-2021-21311 adminer Published on 11 Feb 2021, 21:15 UTC (CVSS: 6.4)
Adminer is an open-source database management in a single PHP file. In adminer from version 4.0.0 and before 4.7.9 there is a server-side request forgery vulnerability. Users of Adminer versions bundling all drivers (e.g. `adminer.php`) are affected. This is fixed in version 4.7.9.
CVE-2021-43008 adminer Published on 05 Apr 2022, 02:15 UTC (CVSS: 5.0)
Improper Access Control in Adminer versions 1.12.0 to 4.6.2 (fixed in version 4.6.3) allows an attacker to achieve Arbitrary File Read on the remote server by requesting the Adminer to connect to a remote MySQL database.
CVE-2021-29625 adminer Published on 19 May 2021, 22:15 UTC (CVSS: 4.3)
Adminer is open-source database management software. A cross-site scripting vulnerability in Adminer versions 4.6.1 to 4.8.0 affects users of MySQL, MariaDB, PgSQL and SQLite. XSS is in most cases prevented by strict CSP in all modern browsers. The only exception is when Adminer is using a `pdo_` extension to communicate with the database (it is used if the native extensions are not enabled). I...
CVE-2020-35572 adminer Published on 09 Feb 2021, 18:15 UTC (CVSS: 4.3)
Adminer through 4.7.8 allows XSS via the history parameter to the default URI.

All CVEs for adminer

CVE-2025-43960 adminer vulnerability CVSS: 0 25 Aug 2025, 14:15 UTC

Adminer 4.8.1, when using Monolog for logging, allows a Denial of Service (memory consumption) via a crafted serialized payload (e.g., using s:1000000000), leading to a PHP Object Injection issue. Remote, unauthenticated attackers can trigger this by sending a malicious serialized object, which forces excessive memory usage, rendering Adminer’s interface unresponsive and causing a server-level DoS. While the server may recover after several minutes, multiple simultaneous requests can cause a complete crash requiring manual intervention.

CVE-2021-43008 adminer vulnerability CVSS: 5.0 05 Apr 2022, 02:15 UTC

Improper Access Control in Adminer versions 1.12.0 to 4.6.2 (fixed in version 4.6.3) allows an attacker to achieve Arbitrary File Read on the remote server by requesting the Adminer to connect to a remote MySQL database.

CVE-2021-29625 adminer vulnerability CVSS: 4.3 19 May 2021, 22:15 UTC

Adminer is open-source database management software. A cross-site scripting vulnerability in Adminer versions 4.6.1 to 4.8.0 affects users of MySQL, MariaDB, PgSQL and SQLite. XSS is in most cases prevented by strict CSP in all modern browsers. The only exception is when Adminer is using a `pdo_` extension to communicate with the database (it is used if the native extensions are not enabled). In browsers without CSP, Adminer versions 4.6.1 to 4.8.0 are affected. The vulnerability is patched in version 4.8.1. As workarounds, one can use a browser supporting strict CSP or enable the native PHP extensions (e.g. `mysqli`) or disable displaying PHP errors (`display_errors`).

CVE-2021-21311 adminer vulnerability CVSS: 6.4 11 Feb 2021, 21:15 UTC

Adminer is an open-source database management in a single PHP file. In adminer from version 4.0.0 and before 4.7.9 there is a server-side request forgery vulnerability. Users of Adminer versions bundling all drivers (e.g. `adminer.php`) are affected. This is fixed in version 4.7.9.

CVE-2020-35572 adminer vulnerability CVSS: 4.3 09 Feb 2021, 18:15 UTC

Adminer through 4.7.8 allows XSS via the history parameter to the default URI.

CVE-2018-7667 adminer vulnerability CVSS: 7.5 05 Mar 2018, 07:29 UTC

Adminer through 4.3.1 has SSRF via the server parameter.