Cyber Resilience

CVE-2026-25892

HighPublic PoC

Published: 09 February 2026

Published
09 February 2026
Modified
20 February 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0416 88.9th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-25892 is a high-severity Improper Input Validation (CWE-20) vulnerability in Adminer Adminer. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked in the top 11.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).

Deeper analysis

Adminer is open-source database management software, and versions 5.4.1 and earlier contain a flaw in the version-check endpoint at ?script=version. The mechanism receives version information via browser postMessage from adminer.org but performs no origin validation on incoming POST requests, allowing an attacker-supplied version[] parameter that PHP automatically converts into an array; subsequent calls to openssl_verify then receive the array instead of a string and raise a TypeError that produces an HTTP 500 response.

An unauthenticated remote attacker can send a single crafted POST containing the array parameter to trigger the crash. Because the error occurs on the next page load for any user, the attack results in a denial-of-service condition that renders the Adminer instance unavailable until the process is restarted.

The referenced GitHub security advisory, commit 21d3a3150388677b18647d68aec93b7850e457d3, and release v5.4.2 state that the issue is resolved by upgrading to Adminer 5.4.2, which adds proper origin checks and input sanitization for the version endpoint.

EPSS for the CVE rose from lower values to a peak of 0.0727 on 2026-03-24 before receding to the current score of 0.0446, indicating a temporary increase in exploitation interest after disclosure.

EU & UK References

Vulnerability details

Adminer is open-source database management software. Adminer v5.4.1 and earlier has a version check mechanism where adminer.org sends signed version info via JavaScript postMessage, which the browser then POSTs to ?script=version. This endpoint lacks origin validation and accepts POST data…

more

from any source. An attacker can POST version[] parameter which PHP converts to an array. On next page load, openssl_verify() receives this array instead of string and throws TypeError, returning HTTP 500 to all users. Upgrade to Adminer 5.4.2.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

The CVE describes a remote unauthenticated attacker sending a crafted POST to the version-check endpoint, causing a TypeError in openssl_verify() that results in persistent HTTP 500 responses and denies service to all users. This directly matches T1499.004 (Application or System Exploitation) under Endpoint Denial of Service.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-43960Same product: Adminer Adminer
CVE-2026-22862Shared CWE-20
CVE-2026-22868Shared CWE-20
CVE-2025-70123Shared CWE-20
CVE-2025-61616Shared CWE-20
CVE-2026-22565Shared CWE-20
CVE-2026-22699Shared CWE-20
CVE-2026-33218Shared CWE-20
CVE-2025-59032Shared CWE-20
CVE-2026-22700Shared CWE-20

Affected Assets

adminer
adminer
4.6.2 — 5.4.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the improper input validation (CWE-20) by requiring validation of the version[] POST parameter as a string before processing with openssl_verify(), preventing the TypeError.

prevent

Ensures error handling for exceptions like TypeError does not propagate to cause HTTP 500 errors and server-wide denial-of-service on subsequent page loads.

preventdetect

Provides protection against the network-accessible, low-complexity DoS attack by blocking or limiting malicious POST requests to the vulnerable ?script=version endpoint.

References