GHSA-9xhq-pm7v-693p · Severity: medium · Ecosystem: composer — phpMyAdmin Cryptographic Vulnerability
An issue was discovered in phpMyAdmin. When the user does not specify a blowfish_secret key for encrypting cookies, phpMyAdmin generates one at runtime. A vulnerability was reported where the way this value is created uses a weak algorithm. This could allow an attacker to determine the user's blowfish_secret and potentially decrypt their cookies. All 4.6.x versions (prior to 4.6.5), 4.4.x versions (prior to 4.4.15.9), and 4.0.x versions (prior to 4.0.10.18) are affected.
Conclusion & alert: CVE-2016-9847 is rated Moderate Risk (50.1/100): CVSS Medium severity, with medium exploitation likelihood (EPSS 2.00%). Core evidence: EPSS rose +1.57% over the last day, indicating growing attacker interest. Mandatory action: Review affected assets and schedule remediation.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-15 | 0.43% | 2.00% | +1.57% |
| 2 | 2025-07-30 | 0.46% | 0.43% | -0.03% |
| 3 | 2025-03-30 | — | 0.46% | — |
Full EPSS history (7 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 5.3 | 3.0 | MEDIUM |
|
3.9 | 1.4 | [email protected] |
| 5.0 | 2.0 | MEDIUM |
|
10.0 | 2.9 | [email protected] |
GHSA-9xhq-pm7v-693p · Severity: medium · Ecosystem: composer — phpMyAdmin Cryptographic Vulnerability
| vendor | priority | summary | link |
|---|---|---|---|
alpine
|
— | CVE-2016-9847: 1 source package rows (phpmyadmin); 7 state rows across 7 repos (3.17-community, 3.18-community, 3.19-community, 3.20-community, 3.21-community, 3.22-community, edge-community); fixed 7, open 0. | https://security.alpinelinux.org/vuln/CVE-2016-9847 |
debian
|
unimportant | CVE-2016-9847 unimportant priority: Debian including 1 source packages (phpmyadmin), 4 status rows across 4 suites (bookworm, bullseye, sid, trixie): resolved 4. | https://security-tracker.debian.org/tracker/CVE-2016-9847 |
gentoo
|
normal | CVE-2016-9847: 1 GLSA(s) (201701-32), 1 atom(s) (dev-db/phpmyadmin); latest impact normal. | https://bugs.gentoo.org/buglist.cgi?quicksearch=CVE-2016-9847 |
ubuntu
|
medium | CVE-2016-9847 medium priority: Ubuntu including 1 source packages (phpmyadmin), 23 status rows across 23 suites (artful, bionic, cosmic, disco, eoan, focal, groovy, hirsute, impish, jammy, kinetic, lunar, mantic, noble, oracular, plucky, precise, questing, trusty, upstream, xenial, yakkety, zesty): not-affected 15, ignored 4, needed 2, DNE 1, released 1. | https://ubuntu.com/security/CVE-2016-9847 |
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| phpmyadmin | phpmyadmin | 4.6.0 | cpe:2.3:a:phpmyadmin:phpmyadmin:4.6.0:*:*:*:*:*:*:* |
| phpmyadmin | phpmyadmin | 4.6.1 | cpe:2.3:a:phpmyadmin:phpmyadmin:4.6.1:*:*:*:*:*:*:* |
| phpmyadmin | phpmyadmin | 4.6.2 | cpe:2.3:a:phpmyadmin:phpmyadmin:4.6.2:*:*:*:*:*:*:* |
| phpmyadmin | phpmyadmin | 4.6.3 | cpe:2.3:a:phpmyadmin:phpmyadmin:4.6.3:*:*:*:*:*:*:* |
| phpmyadmin | phpmyadmin | 4.6.4 | cpe:2.3:a:phpmyadmin:phpmyadmin:4.6.4:*:*:*:*:*:*:* |
| phpmyadmin | phpmyadmin | 4.0.0 | cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.0:*:*:*:*:*:*:* |
| phpmyadmin | phpmyadmin | 4.0.1 | cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.1:*:*:*:*:*:*:* |
| phpmyadmin | phpmyadmin | 4.0.2 | cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.2:*:*:*:*:*:*:* |
| phpmyadmin | phpmyadmin | 4.0.3 | cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.3:*:*:*:*:*:*:* |
| phpmyadmin | phpmyadmin | 4.0.4 | cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.4:*:*:*:*:*:*:* |
| phpmyadmin | phpmyadmin | 4.0.4.1 | cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.4.1:*:*:*:*:*:*:* |
| phpmyadmin | phpmyadmin | 4.0.4.2 | cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.4.2:*:*:*:*:*:*:* |
| phpmyadmin | phpmyadmin | 4.0.5 | cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.5:*:*:*:*:*:*:* |
| phpmyadmin | phpmyadmin | 4.0.6 | cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.6:*:*:*:*:*:*:* |
| phpmyadmin | phpmyadmin | 4.0.7 | cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.7:*:*:*:*:*:*:* |
| phpmyadmin | phpmyadmin | 4.0.8 | cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.8:*:*:*:*:*:*:* |
| phpmyadmin | phpmyadmin | 4.0.9 | cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.9:*:*:*:*:*:*:* |
| phpmyadmin | phpmyadmin | 4.0.10 | cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10:*:*:*:*:*:*:* |
| phpmyadmin | phpmyadmin | 4.0.10.1 | cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.1:*:*:*:*:*:*:* |
| phpmyadmin | phpmyadmin | 4.0.10.2 | cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.2:*:*:*:*:*:*:* |
| phpmyadmin | phpmyadmin | 4.0.10.3 | cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.3:*:*:*:*:*:*:* |
| phpmyadmin | phpmyadmin | 4.0.10.4 | cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.4:*:*:*:*:*:*:* |
| phpmyadmin | phpmyadmin | 4.0.10.5 | cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.5:*:*:*:*:*:*:* |
| phpmyadmin | phpmyadmin | 4.0.10.6 | cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.6:*:*:*:*:*:*:* |
| phpmyadmin | phpmyadmin | 4.0.10.7 | cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.7:*:*:*:*:*:*:* |
| phpmyadmin | phpmyadmin | 4.0.10.8 | cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.8:*:*:*:*:*:*:* |
| phpmyadmin | phpmyadmin | 4.0.10.9 | cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.9:*:*:*:*:*:*:* |
| phpmyadmin | phpmyadmin | 4.0.10.10 | cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.10:*:*:*:*:*:*:* |
| phpmyadmin | phpmyadmin | 4.0.10.11 | cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.11:*:*:*:*:*:*:* |
| phpmyadmin | phpmyadmin | 4.0.10.12 | cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.12:*:*:*:*:*:*:* |
| phpmyadmin | phpmyadmin | 4.0.10.13 | cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.13:*:*:*:*:*:*:* |
| phpmyadmin | phpmyadmin | 4.0.10.14 | cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.14:*:*:*:*:*:*:* |
| phpmyadmin | phpmyadmin | 4.0.10.15 | cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.15:*:*:*:*:*:*:* |
| phpmyadmin | phpmyadmin | 4.0.10.16 | cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.16:*:*:*:*:*:*:* |
| phpmyadmin | phpmyadmin | 4.0.10.17 | cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.17:*:*:*:*:*:*:* |
| phpmyadmin | phpmyadmin | 4.4.0 | cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.0:*:*:*:*:*:*:* |
| phpmyadmin | phpmyadmin | 4.4.1 | cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.1:*:*:*:*:*:*:* |
| phpmyadmin | phpmyadmin | 4.4.1.1 | cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.1.1:*:*:*:*:*:*:* |
| phpmyadmin | phpmyadmin | 4.4.2 | cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.2:*:*:*:*:*:*:* |
| phpmyadmin | phpmyadmin | 4.4.3 | cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.3:*:*:*:*:*:*:* |
| phpmyadmin | phpmyadmin | 4.4.4 | cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.4:*:*:*:*:*:*:* |
| phpmyadmin | phpmyadmin | 4.4.5 | cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.5:*:*:*:*:*:*:* |
| phpmyadmin | phpmyadmin | 4.4.6 | cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.6:*:*:*:*:*:*:* |
| phpmyadmin | phpmyadmin | 4.4.6.1 | cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.6.1:*:*:*:*:*:*:* |
| phpmyadmin | phpmyadmin | 4.4.7 | cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.7:*:*:*:*:*:*:* |
| phpmyadmin | phpmyadmin | 4.4.8 | cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.8:*:*:*:*:*:*:* |
| phpmyadmin | phpmyadmin | 4.4.9 | cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.9:*:*:*:*:*:*:* |
| phpmyadmin | phpmyadmin | 4.4.10 | cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.10:*:*:*:*:*:*:* |
| phpmyadmin | phpmyadmin | 4.4.11 | cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.11:*:*:*:*:*:*:* |
| phpmyadmin | phpmyadmin | 4.4.12 | cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.12:*:*:*:*:*:*:* |
| phpmyadmin | phpmyadmin | 4.4.13 | cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.13:*:*:*:*:*:*:* |
| phpmyadmin | phpmyadmin | 4.4.13.1 | cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.13.1:*:*:*:*:*:*:* |
| phpmyadmin | phpmyadmin | 4.4.14 | cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.14:*:*:*:*:*:*:* |
| phpmyadmin | phpmyadmin | 4.4.14.1 | cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.14.1:*:*:*:*:*:*:* |
| phpmyadmin | phpmyadmin | 4.4.15 | cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.15:*:*:*:*:*:*:* |
| phpmyadmin | phpmyadmin | 4.4.15.1 | cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.15.1:*:*:*:*:*:*:* |
| phpmyadmin | phpmyadmin | 4.4.15.2 | cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.15.2:*:*:*:*:*:*:* |
| phpmyadmin | phpmyadmin | 4.4.15.3 | cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.15.3:*:*:*:*:*:*:* |
| phpmyadmin | phpmyadmin | 4.4.15.4 | cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.15.4:*:*:*:*:*:*:* |
| phpmyadmin | phpmyadmin | 4.4.15.5 | cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.15.5:*:*:*:*:*:*:* |
| phpmyadmin | phpmyadmin | 4.4.15.6 | cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.15.6:*:*:*:*:*:*:* |
| phpmyadmin | phpmyadmin | 4.4.15.7 | cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.15.7:*:*:*:*:*:*:* |
| phpmyadmin | phpmyadmin | 4.4.15.8 | cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.15.8:*:*:*:*:*:*:* |
| URL | Tags |
|---|---|
| http://www.securityfocus.com/bid/94524 | Third Party Advisory VDB Entry |
| https://security.gentoo.org/glsa/201701-32 | |
| https://www.phpmyadmin.net/security/PMASA-2016-58 | Patch Vendor Advisory |