{"id":"CVE-2020-26934","details":"phpMyAdmin before 4.9.6 and 5.x before 5.0.3 allows XSS through the transformation feature via a crafted link.","aliases":["BIT-phpmyadmin-2020-26934","GHSA-6349-53vr-7hcr"],"modified":"2026-05-18T05:52:29.350219304Z","published":"2020-10-10T19:15:12.307Z","related":["openSUSE-SU-2020:1675-1","openSUSE-SU-2020:1806-1","openSUSE-SU-2024:11171-1"],"database_specific":{"unresolved_ranges":[{"cpes":["cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*"],"source":"CPE_FIELD","vendor_product":"debian:debian_linux","extracted_events":[{"last_affected":"9.0"}]},{"source":"CPE_FIELD","cpes":["cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*","cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*","cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*"],"vendor_product":"fedoraproject:fedora","extracted_events":[{"last_affected":"31"},{"last_affected":"32"},{"last_affected":"33"}]},{"source":"CPE_FIELD","cpes":["cpe:2.3:a:opensuse:backports_sle:15.0:-:*:*:*:*:*:*","cpe:2.3:a:opensuse:backports_sle:15.0:sp1:*:*:*:*:*:*","cpe:2.3:a:opensuse:backports_sle:15.0:sp2:*:*:*:*:*:*"],"vendor_product":"opensuse:backports_sle","extracted_events":[{"last_affected":"15.0-NA"},{"last_affected":"15.0-sp1"},{"last_affected":"15.0-sp2"}]},{"source":"CPE_FIELD","cpes":["cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*","cpe:2.3:o:opensuse:leap:15.2:*:*:*:*:*:*:*"],"vendor_product":"opensuse:leap","extracted_events":[{"last_affected":"15.1"},{"last_affected":"15.2"}]}]},"references":[{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FHST4E5IJG7IKZTTW3R6MEZPVHJZ472K/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PXK37YEHSDYCIPQSYEMN2OFTP2ZLM7DO/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TNLGHVDNAEZEGRTUESSSQFM7MZTHIDQ5/"},{"type":"ADVISORY","url":"http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00027.html"},{"type":"ADVISORY","url":"http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00005.html"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2020/10/msg00024.html"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/202101-35"},{"type":"FIX","url":"https://www.phpmyadmin.net/security/PMASA-2020-5/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/phpmyadmin/phpmyadmin","events":[{"introduced":"4ab33481be875d188d5e5c0860dd1499cd92e9d3"},{"fixed":"92ead328f26f435f806711439dac16a8009587e1"},{"introduced":"c124aacc32329f69f3e8189c61c5d82f6d9fcd47"},{"fixed":"3c9ad0a1740578a238ed49ebb95e73cfef4c2986"}],"database_specific":{"source":"CPE_FIELD","cpe":"cpe:2.3:a:phpmyadmin:phpmyadmin:*:*:*:*:*:*:*:*","extracted_events":[{"introduced":"4.9.0"},{"fixed":"4.9.6"},{"introduced":"5.0.0"},{"fixed":"5.0.3"}]}}],"versions":["RELEASE_5_0_2","RELEASE_4_9_5","RELEASE_5_0_1","RELEASE_4_9_4","RELEASE_5_0_0","RELEASE_4_9_3","RELEASE_4_9_2","RELEASE_4_9_1","RELEASE_4_9_0_1","RELEASE_4_9_0"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-26934.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}