Announcement-ID: PMASA-2023-1

Date: 2023-02-07


XSS vulnerability in drag-and-drop upload


An XSS vulnerability has been discovered where an authenticated user can trigger an XSS attack by uploading a specially-crafted .sql file through the drag-and-drop interface.


We consider this vulnerability to be of moderate severity.

Mitigation factor

By disabling the configuration directive `$cfg['enable_drag_drop_import']`, users will be unable to use the drag and drop upload which would protect against the vulnerability.

Affected Versions

phpMyAdmin versions prior to 4.9.11 and 5.2.1 are affected. The vulnerability has existed since release version 4.3.0.


Upgrade to phpMyAdmin 5.2.1 or 4.9.11 or newer or apply patch listed below.


Thanks to a user who wishes to remain anonymous for reporting this vulnerability.

Assigned CVE ids: CVE-2023-25727

CWE ids: CWE-661


The following commits have been made on the 4.9 branch to fix this issue:

The following commits have been made on the 5.2 branch to fix this issue:

More information

For further information and in case of questions, please contact the phpMyAdmin team. Our website is