Announcement-ID: PMASA-2018-6

Date: 2018-12-07


Local file inclusion through transformation feature


A flaw has been found where an attacker can exploit phpMyAdmin to leak the contents of a local file. The attacker must have access to the phpMyAdmin Configuration Storage tables, although these can easily be created in any database to which the attacker has access. An attacker must have valid credentials to log in to phpMyAdmin; this vulnerability does not allow an attacker to circumvent the login system.


We consider this vulnerability to be severe.

Affected Versions

phpMyAdmin versions from at least 4.0 through 4.8.3 are affected


Upgrade to phpMyAdmin 4.8.4 or newer or apply patch listed below.


This vulnerability was reported by Daniel Le Gall from SCRT

Assigned CVE ids: CVE-2018-19968

CWE ids: CWE-661 CWE-98


The following commits have been made on the 4.8 branch to fix this issue:

More information

For further information and in case of questions, please contact the phpMyAdmin team. Our website is