CVE-2019-25454 MEDIUM

CVE-2019-25454: phpMoAdmin 1.1.5 Stored Cross-Site Scripting via collection Parameter

Vendor Phpmoadmin

Product phpMoAdmin

Weakness CWE-79 · XSS

Published February 20, 2026

Last update April 7, 2026

View on NVD All CVEs

CVSS base score

5.3/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction —

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

What the vulnerability does

01Description

phpMoAdmin 1.1.5 contains a stored cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating the collection parameter. Attackers can send GET requests to moadmin.php with script payloads in the collection parameter during collection creation to execute arbitrary JavaScript in users' browsers.

Key dates

02Disclosure timeline

February 20, 2026 CVE published

April 7, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2019-25454

Related vulnerabilities

04Related CVE

CVE-2025-26662 Cross-Site Scripting (XSS) vulnerability in the SAP Data Services Management Console CVE-2025-7943 PHPGurukul Taxi Stand Management System search-autoortaxi.php cross site scripting CVE-2024-5379 JFinalCMS template cross site scripting CVE-2025-15000 Page Keys <= 1.3.3 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'page_key' Parameter CVE-2024-33927 WordPress Giphypress plugin <= 1.6.2 - Cross Site Scripting (XSS) vulnerability