Back to KEVs

CVE-2021-21311

SSRF in adminer

Basic Information

CVE State
PUBLISHED
Reserved Date
December 22, 2020
Published Date
February 11, 2021
Last Updated
October 21, 2025
Vendor
vrana
Product
adminer
Description
Adminer is an open-source database management in a single PHP file. In adminer from version 4.0.0 and before 4.7.9 there is a server-side request forgery vulnerability. Users of Adminer versions bundling all drivers (e.g. `adminer.php`) are affected. This is fixed in version 4.7.9.
Tags
cisa nuclei_scanner

CVSS Scores

CVSS v3.1

7.2 - HIGH

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

SSVC Information

Exploitation
active
Automatable
Yes
Technical Impact
partial

Exploit Status

Exploited in the Wild
Yes (2026-06-01 13:30:37 UTC) Source
Proof of Concept Available
Yes (added 2022-02-14 18:54:53 UTC) Source

References

https://github.com/vrana/adminer/security/advisories/GHSA-x5r2-hj5c-8jx6 https://github.com/vrana/adminer/files/5957311/Adminer.SSRF.pdf https://packagist.org/packages/vrana/adminer https://github.com/vrana/adminer/commit/ccd2374b0b12bd547417bf0dacdf153826c83351 https://lists.debian.org/debian-lts-announce/2021/03/msg00002.html

Known Exploited Vulnerability Information

Source Added Date
CVE 2026-06-01 10:41:16 UTC

Scanner Integrations

Scanner URL Date Detected
Nuclei https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2021/CVE-2021-21311.yaml 2025-04-25 00:00:00 UTC

Potential Proof of Concepts

Warning: These PoCs have not been tested and could contain malware. Use at your own risk.

omoknooni/CVE-2021-21311

Type: github • Created: 2023-06-12 13:32:52 UTC • Stars: 2

llhala/CVE-2021-21311

Type: github • Created: 2022-02-14 18:54:53 UTC • Stars: 6

Adminer is an open-source database management in a single PHP file. In adminer from version 4.0.0 and before 4.7.9 there is a server-side request forgery vulnerability. Users of Adminer versions bundling all drivers (e.g. `adminer.php`) are affected. This is fixed in version 4.7.9.

Timeline

  • CVE ID Reserved

  • CVE Published to Public

  • Proof of Concept Exploit Available

  • Detected by Nuclei

  • Added to KEVIntel