CVE-2016-5734

CRITICAL EXPLOITED IN THE WILD LAB

phpMyAdmin <4.0.10.16, <4.4.15.7, <4.6.3 - RCE

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2016-5734 has been observed exploited in the wild (reported by VulnCheck KEV, InTheWild.io). EIP tracks 5 public exploits from researchers including @iamsecurity, miko550, HKirito, including a Metasploit module exploits/multi/http/phpmyadmin_null_termination_exec.

AI-analyzed exploit summary This exploit leverages a regex null byte vulnerability in phpMyAdmin 4.3.0-4.6.2 to achieve remote code execution (RCE) by manipulating the find-and-replace functionality. It requires valid credentials and targets PHP versions 4.3.0-5.4.6 due to a regex fix in later versions.

Description

phpMyAdmin 4.0.x before 4.0.10.16, 4.4.x before 4.4.15.7, and 4.6.x before 4.6.3 does not properly choose delimiters to prevent use of the preg_replace e (aka eval) modifier, which might allow remote attackers to execute arbitrary PHP code via a crafted string, as demonstrated by the table search-and-replace implementation.

Exploits (5)

exploitdb WORKING POC
by @iamsecurity · pythonwebappsphp
https://www.exploit-db.com/exploits/40185

This exploit leverages a regex null byte vulnerability in phpMyAdmin 4.3.0-4.6.2 to achieve remote code execution (RCE) by manipulating the find-and-replace functionality. It requires valid credentials and targets PHP versions 4.3.0-5.4.6 due to a regex fix in later versions.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: phpMyAdmin 4.3.0-4.6.2
Auth required
Prerequisites: Valid phpMyAdmin credentials · PHP version 4.3.0-5.4.6 · Access to an existing database
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 1 stars
by miko550 · remote
https://github.com/miko550/CVE-2016-5734-docker

This repository contains a functional exploit for CVE-2016-5734, a remote code execution vulnerability in phpMyAdmin 4.0.x-4.6.2. The exploit leverages a find-and-replace feature with a crafted regex to inject malicious PHP code into a database table, which is then executed.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: phpMyAdmin 4.0.x-4.6.2
Auth required
Prerequisites: Valid phpMyAdmin credentials · PHP version 4.3.0-5.4.6 (due to null byte regex behavior)
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC
by HKirito · remote-auth
https://github.com/HKirito/phpmyadmin4.4_cve-2016-5734

This is a functional exploit for CVE-2016-5734, targeting a regex-based vulnerability in phpMyAdmin 4.3.0-4.6.2. It leverages a null byte injection in the find-and-replace feature to achieve remote code execution (RCE) when combined with valid credentials.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: phpMyAdmin 4.3.0-4.6.2
Auth required
Prerequisites: Valid phpMyAdmin credentials · PHP version 4.3.0-5.4.6 (due to null byte regex behavior)
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec STUB
by KosukeShimofuji · poc
https://github.com/KosukeShimofuji/CVE-2016-5734

This repository contains Ansible playbooks for setting up a test environment but lacks any exploit code or technical details related to CVE-2016-5734. It appears to be a placeholder or incomplete project.

Classification
Stub 90%
Attack Type
Other
Complexity
Trivial
Reliability
Theoretical
Target: N/A
No auth needed
Prerequisites: Ansible
devstral-2 · analyzed Feb 18, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by Michal Čihař and Cure53 · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/phpmyadmin_null_termination_exec.rb

This Metasploit module exploits a preg_replace eval injection vulnerability in phpMyAdmin (CVE-2016-5734) to achieve authenticated remote code execution. It leverages improper delimiter handling in the search-and-replace functionality to inject arbitrary PHP code.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: phpMyAdmin 4.0.x < 4.0.10.16, 4.4.x < 4.4.15.7, 4.6.x < 4.6.3
Auth required
Prerequisites: Authenticated access to phpMyAdmin · PHP version <= 5.4.6 · Existing database on the server
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (6)

Core 6
Core References
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/40185/
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/91387
Patch, Vendor Advisory x_refsource_confirm
https://www.phpmyadmin.net/security/PMASA-2016-27/
Third Party Advisory vendor-advisory x_refsource_gentoo
https://security.gentoo.org/glsa/201701-32

Scores

CVSS v3 9.8
EPSS 0.8702
EPSS Percentile 99.5%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Lab Environment

COMMUNITY
Community Lab
docker pull vulhub/phpmyadmin:4.4.15.6
docker pull mysql:5.5
+3 more repos

Details

VulnCheck KEV 2024-05-10
InTheWild.io 2024-05-17
CWE
CWE-94
Status published
Products (47)
phpmyadmin/phpmyadmin 4.0.0
phpmyadmin/phpmyadmin 4.0.1
phpmyadmin/phpmyadmin 4.0.2
phpmyadmin/phpmyadmin 4.0.3
phpmyadmin/phpmyadmin 4.0.4
phpmyadmin/phpmyadmin 4.0.4.1
phpmyadmin/phpmyadmin 4.0.4.2
phpmyadmin/phpmyadmin 4.0.5
phpmyadmin/phpmyadmin 4.0.6
phpmyadmin/phpmyadmin 4.0.7
... and 37 more
Published Jul 03, 2016
Tracked Since Feb 18, 2026