
phpMyAdmin, a popular web-based tool for managing MySQL and MariaDB databases, has addressed two cross-site scripting (XSS) vulnerabilities in its latest release, version 5.2.2. These vulnerabilities, discovered in the “Check tables” (CVE-2025-24530) and “Insert” features (CVE-2025-24529), could allow attackers to inject malicious scripts into the application, potentially compromising user accounts and sensitive data.
“A specially-crafted table or database name could be used to trigger an XSS attack,” the phpMyAdmin team explained in their security advisory.
While the severity of these vulnerabilities is considered moderate, users are strongly encouraged to update to phpMyAdmin 5.2.2 or newer as soon as possible. The update includes patches that effectively mitigate these XSS vulnerabilities.
In addition to the XSS fixes, phpMyAdmin 5.2.2 also addresses a potential vulnerability related to the glibc/iconv library. This vulnerability, tracked as CVE-2024-2961, could be exploited under specific circumstances to execute arbitrary code. However, the phpMyAdmin team has clarified that “by default, phpMyAdmin is not vulnerable.”
To address these issues, phpMyAdmin recommends:
- Upgrading to Version 5.2.2: The latest release resolves all identified vulnerabilities.
- Applying Patches [1,2,3]: If upgrading is not immediately possible, apply the patches provided in the commits.
- Strengthening Security Configurations:
- Disable unnecessary features like $cfg[‘RecodingEngine’] if not in use.
- Ensure security updates for glibc are installed.