CVE-2026-25892
Published: 09 February 2026
Summary
CVE-2026-25892 is a high-severity Improper Input Validation (CWE-20) vulnerability in Adminer Adminer. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked in the top 11.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).
Deeper analysis
Adminer is open-source database management software, and versions 5.4.1 and earlier contain a flaw in the version-check endpoint at ?script=version. The mechanism receives version information via browser postMessage from adminer.org but performs no origin validation on incoming POST requests, allowing an attacker-supplied version[] parameter that PHP automatically converts into an array; subsequent calls to openssl_verify then receive the array instead of a string and raise a TypeError that produces an HTTP 500 response.
An unauthenticated remote attacker can send a single crafted POST containing the array parameter to trigger the crash. Because the error occurs on the next page load for any user, the attack results in a denial-of-service condition that renders the Adminer instance unavailable until the process is restarted.
The referenced GitHub security advisory, commit 21d3a3150388677b18647d68aec93b7850e457d3, and release v5.4.2 state that the issue is resolved by upgrading to Adminer 5.4.2, which adds proper origin checks and input sanitization for the version endpoint.
EPSS for the CVE rose from lower values to a peak of 0.0727 on 2026-03-24 before receding to the current score of 0.0446, indicating a temporary increase in exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-6870
Vulnerability details
Adminer is open-source database management software. Adminer v5.4.1 and earlier has a version check mechanism where adminer.org sends signed version info via JavaScript postMessage, which the browser then POSTs to ?script=version. This endpoint lacks origin validation and accepts POST data…
more
from any source. An attacker can POST version[] parameter which PHP converts to an array. On next page load, openssl_verify() receives this array instead of string and throws TypeError, returning HTTP 500 to all users. Upgrade to Adminer 5.4.2.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes a remote unauthenticated attacker sending a crafted POST to the version-check endpoint, causing a TypeError in openssl_verify() that results in persistent HTTP 500 responses and denies service to all users. This directly matches T1499.004 (Application or System Exploitation) under Endpoint Denial of Service.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly addresses the improper input validation (CWE-20) by requiring validation of the version[] POST parameter as a string before processing with openssl_verify(), preventing the TypeError.
Ensures error handling for exceptions like TypeError does not propagate to cause HTTP 500 errors and server-wide denial-of-service on subsequent page loads.
Provides protection against the network-accessible, low-complexity DoS attack by blocking or limiting malicious POST requests to the vulnerable ?script=version endpoint.