{"id":"CVE-2020-26935","details":"An issue was discovered in SearchController in phpMyAdmin before 4.9.6 and 5.x before 5.0.3. A SQL injection vulnerability was discovered in how phpMyAdmin processes SQL statements in the search feature. An attacker could use this flaw to inject malicious SQL in to a query.","aliases":["BIT-phpmyadmin-2020-26935","GHSA-7ff4-cv53-4cjq"],"modified":"2026-04-16T00:03:29.632511954Z","published":"2020-10-10T19:15:12.370Z","related":["openSUSE-SU-2020:1675-1","openSUSE-SU-2020:1806-1","openSUSE-SU-2024:11171-1"],"database_specific":{"unresolved_ranges":[{"cpe":"cpe:2.3:a:opensuse:backports_sle:15.0:-:*:*:*:*:*:*","source":"CPE_FIELD","extracted_events":[{"last_affected":"15.0-NA"}]},{"cpe":"cpe:2.3:a:opensuse:backports_sle:15.0:sp1:*:*:*:*:*:*","source":"CPE_FIELD","extracted_events":[{"last_affected":"15.0-sp1"}]},{"cpe":"cpe:2.3:a:opensuse:backports_sle:15.0:sp2:*:*:*:*:*:*","source":"CPE_FIELD","extracted_events":[{"last_affected":"15.0-sp2"}]},{"cpe":"cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*","source":"CPE_FIELD","extracted_events":[{"last_affected":"9.0"}]},{"cpe":"cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*","source":"CPE_FIELD","extracted_events":[{"last_affected":"31"}]},{"cpe":"cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*","source":"CPE_FIELD","extracted_events":[{"last_affected":"32"}]},{"cpe":"cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*","extracted_events":[{"last_affected":"33"}],"source":"CPE_FIELD"},{"cpe":"cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*","source":"CPE_FIELD","extracted_events":[{"last_affected":"15.1"}]},{"cpe":"cpe:2.3:o:opensuse:leap:15.2:*:*:*:*:*:*:*","source":"CPE_FIELD","extracted_events":[{"last_affected":"15.2"}]}]},"references":[{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FHST4E5IJG7IKZTTW3R6MEZPVHJZ472K/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PXK37YEHSDYCIPQSYEMN2OFTP2ZLM7DO/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TNLGHVDNAEZEGRTUESSSQFM7MZTHIDQ5/"},{"type":"ADVISORY","url":"http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00027.html"},{"type":"ADVISORY","url":"http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00005.html"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2020/10/msg00024.html"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/202101-35"},{"type":"FIX","url":"https://www.phpmyadmin.net/security/PMASA-2020-6/"},{"type":"EVIDENCE","url":"https://advisory.checkmarx.net/advisory/CX-2020-4281"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/phpmyadmin/phpmyadmin","events":[{"introduced":"4ab33481be875d188d5e5c0860dd1499cd92e9d3"},{"fixed":"92ead328f26f435f806711439dac16a8009587e1"},{"introduced":"c124aacc32329f69f3e8189c61c5d82f6d9fcd47"},{"fixed":"3c9ad0a1740578a238ed49ebb95e73cfef4c2986"}],"database_specific":{"cpe":"cpe:2.3:a:phpmyadmin:phpmyadmin:*:*:*:*:*:*:*:*","source":"CPE_FIELD","extracted_events":[{"introduced":"4.9.0"},{"fixed":"4.9.6"},{"introduced":"5.0.0"},{"fixed":"5.0.3"}]}}],"versions":["RELEASE_4_9_0","RELEASE_4_9_0_1","RELEASE_4_9_1","RELEASE_4_9_2","RELEASE_4_9_3","RELEASE_4_9_4","RELEASE_4_9_5","RELEASE_5_0_0","RELEASE_5_0_1","RELEASE_5_0_2"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-26935.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}