GHSA-jvxx-8xxf-5495 · Severity: critical · Ecosystem: composer — phpMyAdmin CSRF Vulnerability
An issue was discovered in phpMyAdmin. When the arg_separator is different from its default & value, the CSRF token was not properly stripped from the return URL of the preference import action. All 4.6.x versions (prior to 4.6.5), 4.4.x versions (prior to 4.4.15.9), and 4.0.x versions (prior to 4.0.10.18) are affected.
Conclusion & alert: CVE-2016-9866 is rated Moderate Risk (54.7/100): CVSS Critical severity, with low exploitation likelihood (EPSS 0.24%). Mandatory action: Review affected assets and schedule remediation.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2025-03-30 | 0.47% | 0.24% | -0.23% |
| 2 | 2025-03-29 | 0.24% | 0.47% | +0.23% |
| 3 | 2025-03-19 | — | 0.24% | — |
Full EPSS history (6 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 9.8 | 3.0 | CRITICAL |
|
3.9 | 5.9 | [email protected] |
| 6.8 | 2.0 | MEDIUM |
|
8.6 | 6.4 | [email protected] |
GHSA-jvxx-8xxf-5495 · Severity: critical · Ecosystem: composer — phpMyAdmin CSRF Vulnerability
| vendor | priority | summary | link |
|---|---|---|---|
alpine
|
— | CVE-2016-9866: 1 source package rows (phpmyadmin); 7 state rows across 7 repos (3.17-community, 3.18-community, 3.19-community, 3.20-community, 3.21-community, 3.22-community, edge-community); fixed 7, open 0. | https://security.alpinelinux.org/vuln/CVE-2016-9866 |
debian
|
unimportant | CVE-2016-9866 unimportant priority: Debian including 1 source packages (phpmyadmin), 4 status rows across 4 suites (bookworm, bullseye, sid, trixie): resolved 4. | https://security-tracker.debian.org/tracker/CVE-2016-9866 |
gentoo
|
normal | CVE-2016-9866: 1 GLSA(s) (201701-32), 1 atom(s) (dev-db/phpmyadmin); latest impact normal. | https://bugs.gentoo.org/buglist.cgi?quicksearch=CVE-2016-9866 |
ubuntu
|
medium | CVE-2016-9866 medium priority: Ubuntu including 1 source packages (phpmyadmin), 16 status rows across 16 suites (artful, bionic, cosmic, disco, eoan, focal, groovy, hirsute, impish, jammy, precise, trusty, upstream, xenial, yakkety, zesty): not-affected 10, released 3, ignored 2, DNE 1. | https://ubuntu.com/security/CVE-2016-9866 |
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| phpmyadmin | phpmyadmin | 4.6.0 | cpe:2.3:a:phpmyadmin:phpmyadmin:4.6.0:*:*:*:*:*:*:* |
| phpmyadmin | phpmyadmin | 4.6.1 | cpe:2.3:a:phpmyadmin:phpmyadmin:4.6.1:*:*:*:*:*:*:* |
| phpmyadmin | phpmyadmin | 4.6.2 | cpe:2.3:a:phpmyadmin:phpmyadmin:4.6.2:*:*:*:*:*:*:* |
| phpmyadmin | phpmyadmin | 4.6.3 | cpe:2.3:a:phpmyadmin:phpmyadmin:4.6.3:*:*:*:*:*:*:* |
| phpmyadmin | phpmyadmin | 4.6.4 | cpe:2.3:a:phpmyadmin:phpmyadmin:4.6.4:*:*:*:*:*:*:* |
| phpmyadmin | phpmyadmin | 4.4.0 | cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.0:*:*:*:*:*:*:* |
| phpmyadmin | phpmyadmin | 4.4.1 | cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.1:*:*:*:*:*:*:* |
| phpmyadmin | phpmyadmin | 4.4.1.1 | cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.1.1:*:*:*:*:*:*:* |
| phpmyadmin | phpmyadmin | 4.4.2 | cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.2:*:*:*:*:*:*:* |
| phpmyadmin | phpmyadmin | 4.4.3 | cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.3:*:*:*:*:*:*:* |
| phpmyadmin | phpmyadmin | 4.4.4 | cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.4:*:*:*:*:*:*:* |
| phpmyadmin | phpmyadmin | 4.4.5 | cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.5:*:*:*:*:*:*:* |
| phpmyadmin | phpmyadmin | 4.4.6 | cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.6:*:*:*:*:*:*:* |
| phpmyadmin | phpmyadmin | 4.4.6.1 | cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.6.1:*:*:*:*:*:*:* |
| phpmyadmin | phpmyadmin | 4.4.7 | cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.7:*:*:*:*:*:*:* |
| phpmyadmin | phpmyadmin | 4.4.8 | cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.8:*:*:*:*:*:*:* |
| phpmyadmin | phpmyadmin | 4.4.9 | cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.9:*:*:*:*:*:*:* |
| phpmyadmin | phpmyadmin | 4.4.10 | cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.10:*:*:*:*:*:*:* |
| phpmyadmin | phpmyadmin | 4.4.11 | cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.11:*:*:*:*:*:*:* |
| phpmyadmin | phpmyadmin | 4.4.12 | cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.12:*:*:*:*:*:*:* |
| phpmyadmin | phpmyadmin | 4.4.13 | cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.13:*:*:*:*:*:*:* |
| phpmyadmin | phpmyadmin | 4.4.13.1 | cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.13.1:*:*:*:*:*:*:* |
| phpmyadmin | phpmyadmin | 4.4.14 | cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.14:*:*:*:*:*:*:* |
| phpmyadmin | phpmyadmin | 4.4.14.1 | cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.14.1:*:*:*:*:*:*:* |
| phpmyadmin | phpmyadmin | 4.4.15 | cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.15:*:*:*:*:*:*:* |
| phpmyadmin | phpmyadmin | 4.4.15.1 | cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.15.1:*:*:*:*:*:*:* |
| phpmyadmin | phpmyadmin | 4.4.15.2 | cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.15.2:*:*:*:*:*:*:* |
| phpmyadmin | phpmyadmin | 4.4.15.3 | cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.15.3:*:*:*:*:*:*:* |
| phpmyadmin | phpmyadmin | 4.4.15.4 | cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.15.4:*:*:*:*:*:*:* |
| phpmyadmin | phpmyadmin | 4.4.15.5 | cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.15.5:*:*:*:*:*:*:* |
| phpmyadmin | phpmyadmin | 4.4.15.6 | cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.15.6:*:*:*:*:*:*:* |
| phpmyadmin | phpmyadmin | 4.4.15.7 | cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.15.7:*:*:*:*:*:*:* |
| phpmyadmin | phpmyadmin | 4.4.15.8 | cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.15.8:*:*:*:*:*:*:* |
| phpmyadmin | phpmyadmin | 4.0.0 | cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.0:*:*:*:*:*:*:* |
| phpmyadmin | phpmyadmin | 4.0.1 | cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.1:*:*:*:*:*:*:* |
| phpmyadmin | phpmyadmin | 4.0.2 | cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.2:*:*:*:*:*:*:* |
| phpmyadmin | phpmyadmin | 4.0.3 | cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.3:*:*:*:*:*:*:* |
| phpmyadmin | phpmyadmin | 4.0.4 | cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.4:*:*:*:*:*:*:* |
| phpmyadmin | phpmyadmin | 4.0.4.1 | cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.4.1:*:*:*:*:*:*:* |
| phpmyadmin | phpmyadmin | 4.0.4.2 | cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.4.2:*:*:*:*:*:*:* |
| phpmyadmin | phpmyadmin | 4.0.5 | cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.5:*:*:*:*:*:*:* |
| phpmyadmin | phpmyadmin | 4.0.6 | cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.6:*:*:*:*:*:*:* |
| phpmyadmin | phpmyadmin | 4.0.7 | cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.7:*:*:*:*:*:*:* |
| phpmyadmin | phpmyadmin | 4.0.8 | cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.8:*:*:*:*:*:*:* |
| phpmyadmin | phpmyadmin | 4.0.9 | cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.9:*:*:*:*:*:*:* |
| phpmyadmin | phpmyadmin | 4.0.10 | cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10:*:*:*:*:*:*:* |
| phpmyadmin | phpmyadmin | 4.0.10.1 | cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.1:*:*:*:*:*:*:* |
| phpmyadmin | phpmyadmin | 4.0.10.2 | cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.2:*:*:*:*:*:*:* |
| phpmyadmin | phpmyadmin | 4.0.10.3 | cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.3:*:*:*:*:*:*:* |
| phpmyadmin | phpmyadmin | 4.0.10.4 | cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.4:*:*:*:*:*:*:* |
| phpmyadmin | phpmyadmin | 4.0.10.5 | cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.5:*:*:*:*:*:*:* |
| phpmyadmin | phpmyadmin | 4.0.10.6 | cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.6:*:*:*:*:*:*:* |
| phpmyadmin | phpmyadmin | 4.0.10.7 | cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.7:*:*:*:*:*:*:* |
| phpmyadmin | phpmyadmin | 4.0.10.8 | cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.8:*:*:*:*:*:*:* |
| phpmyadmin | phpmyadmin | 4.0.10.9 | cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.9:*:*:*:*:*:*:* |
| phpmyadmin | phpmyadmin | 4.0.10.10 | cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.10:*:*:*:*:*:*:* |
| phpmyadmin | phpmyadmin | 4.0.10.11 | cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.11:*:*:*:*:*:*:* |
| phpmyadmin | phpmyadmin | 4.0.10.12 | cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.12:*:*:*:*:*:*:* |
| phpmyadmin | phpmyadmin | 4.0.10.13 | cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.13:*:*:*:*:*:*:* |
| phpmyadmin | phpmyadmin | 4.0.10.14 | cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.14:*:*:*:*:*:*:* |
| phpmyadmin | phpmyadmin | 4.0.10.15 | cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.15:*:*:*:*:*:*:* |
| phpmyadmin | phpmyadmin | 4.0.10.16 | cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.16:*:*:*:*:*:*:* |
| phpmyadmin | phpmyadmin | 4.0.10.17 | cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.10.17:*:*:*:*:*:*:* |
| URL | Tags |
|---|---|
| http://www.securityfocus.com/bid/94536 | |
| https://security.gentoo.org/glsa/201701-32 | |
| https://www.phpmyadmin.net/security/PMASA-2016-71 | Patch Vendor Advisory |