CVE-2023-40619

CRITICAL

phpPgAdmin <7.14.4 - Code Injection

Title source: llm

Description

phpPgAdmin 7.14.4 and earlier is vulnerable to deserialization of untrusted data which may lead to remote code execution because user-controlled data is directly passed to the PHP 'unserialize()' function in multiple places. An example is the functionality to manage tables in 'tables.php' where the 'ma[]' POST parameter is deserialized.

References (2)

Scores

CVSS v3 9.8
EPSS 0.0345
EPSS Percentile 87.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Classification

CWE
CWE-502
Status published

Affected Products (1)

phppgadmin_project/phppgadmin < 7.14.4

Timeline

Published Sep 20, 2023
Tracked Since Feb 18, 2026