is the most popular database management tool on the web. Written in PHP, it provides a graphical interface for MySQL and MariaDB. Unfortunately, its ubiquity makes it a prime target for attackers. In the world of penetration testing and red teaming (often summarized as "HackTricks"), phpMyAdmin is a goldmine—capable of leading to Remote Code Execution (RCE) , Local File Inclusion (LFI) , SQL injection , and privilege escalation .
1. CVE-2018-12613: Authenticated LFI to RCE (The Classic LFI)
disable_functions = exec, passthru, shell_exec, system, proc_open, popen, curl_exec, curl_multi_exec phpmyadmin hacktricks patched
phpMyAdmin introduced strict whitelisting for page parameters . In modern versions, the application strictly validates which files can be included, preventing the redirection to session files or temporary system paths. 2. Hardening the config.inc.php Exposure
Set local_infile = OFF in the MySQL configuration to prevent unauthorized file reading. is the most popular database management tool on the web
The landscape of phpMyAdmin vulnerabilities is constantly evolving, from the SQL injections of the early 2010s to the sophisticated XSS chains and LFI-to-RCE techniques documented by the HackTricks community today. The 2025 patches for CVE-2025-24529, CVE-2025-24530, and CVE-2024-2961 mark important milestones in securing this critical database management tool.
Various SQL injection vulnerabilities existed where certain parameters were not properly escaped when generating queries, particularly during table search actions. In the world of penetration testing and red
Modern versions of phpMyAdmin automatically disable or heavily restrict access to the setup configuration utility once a primary configuration file exists. Furthermore, package managers now routinely delete or separate the setup directory entirely after deployment.
The exploits listed on sites like HackTricks from the 2018-2020 era are, in 2026, largely mitigated. However, that does not mean phpMyAdmin is automatically secure. The greatest vulnerability today is —running an outdated version or leaving it misconfigured.