Thinkphp

thinkphp

Vendor: Thinkphp • 27 CVEs

CVEs (27)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2018-25270 1Thinkphp 1Thinkphp Apr 27, 2026 Apr 22, 2026 9.3 CRITICAL· v4 9.8 CRITICAL· v3 N/A· v2 ThinkPHP 5.0.23 contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary PHP code by invoking functions through the routing parameter. Attackers can craft requests to the...Show more ThinkPHP 5.0.23 contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary PHP code by invoking functions through the routing parameter. Attackers can craft requests to the index.php endpoint with malicious function parameters to execute system commands with application privileges.Show less
CVE-2025-63889 1Thinkphp 1Thinkphp Nov 25, 2025 Nov 20, 2025 N/A· v4 7.5 HIGH· v3 N/A· v2 The fetch function in file thinkphp\library\think\Template.php in ThinkPHP 5.0.24 allows attackers to read arbitrary files via crafted file path in a template value.
CVE-2025-63888 1Thinkphp 1Thinkphp Nov 25, 2025 Nov 20, 2025 N/A· v4 9.8 CRITICAL· v3 N/A· v2 The read function in file thinkphp\library\think\template\driver\File.php in ThinkPHP 5.0.24 contains a remote code execution vulnerability.
CVE-2025-50707 1Thinkphp 1Thinkphp Aug 14, 2025 Aug 5, 2025 N/A· v4 9.8 CRITICAL· v3 N/A· v2 An issue in thinkphp3 v.3.2.5 allows a remote attacker to execute arbitrary code via the index.php component
CVE-2025-50706 1Thinkphp 1Thinkphp Aug 14, 2025 Aug 5, 2025 N/A· v4 9.8 CRITICAL· v3 N/A· v2 An issue in thinkphp v.5.1 allows a remote attacker to execute arbitrary code via the routecheck function
CVE-2024-48112 1Thinkphp 1Thinkphp Jun 17, 2025 Oct 30, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 A deserialization vulnerability in the component \controller\Index.php of Thinkphp v6.1.3 to v8.0.4 allows attackers to execute arbitrary code.
CVE-2024-44902 1Thinkphp 1Thinkphp Sep 20, 2024 Sep 9, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 A deserialization vulnerability in Thinkphp v6.1.3 to v8.0.4 allows attackers to execute arbitrary code.
CVE-2024-34467 1Thinkphp 1Thinkphp Jun 17, 2025 May 4, 2024 N/A· v4 6.1 MEDIUM· v3 N/A· v2 ThinkPHP 8.0.3 allows remote attackers to exploit XSS due to inadequate filtering of function argument values in think_exception.tpl.
CVE-2022-45982 1Thinkphp 1Thinkphp Mar 25, 2025 Feb 8, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 thinkphp 6.0.0~6.0.13 and 6.1.0~6.1.1 contains a deserialization vulnerability. This vulnerability allows attackers to execute arbitrary code via a crafted payload.
CVE-2022-47945 1Thinkphp 1Thinkphp Apr 15, 2025 Dec 23, 2022 N/A· v4 9.8 CRITICAL· v3 N/A· v2 ThinkPHP Framework before 6.0.14 allows local file inclusion via the lang parameter when the language pack feature is enabled (lang_switch_on=true). An unauthenticated and remote attacker can exploit this to execute arbi...Show more ThinkPHP Framework before 6.0.14 allows local file inclusion via the lang parameter when the language pack feature is enabled (lang_switch_on=true). An unauthenticated and remote attacker can exploit this to execute arbitrary operating system commands, as demonstrated by including pearcmd.php.Show less
CVE-2022-44289 1Thinkphp 1Thinkphp Apr 23, 2025 Dec 6, 2022 N/A· v4 8.8 HIGH· v3 N/A· v2 Thinkphp 5.1.41 and 5.0.24 has a code logic error which causes file upload getshell.
CVE-2022-38352 1Thinkphp 1Thinkphp Nov 21, 2024 Sep 15, 2022 N/A· v4 9.8 CRITICAL· v3 N/A· v2 ThinkPHP v6.0.13 was discovered to contain a deserialization vulnerability via the component League\Flysystem\Cached\Storage\Psr6Cache. This vulnerability allows attackers to execute arbitrary code via a crafted payload.
CVE-2022-33107 1Thinkphp 1Thinkphp Nov 21, 2024 Jun 29, 2022 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 ThinkPHP v6.0.12 was discovered to contain a deserialization vulnerability via the component vendor\league\flysystem-cached-adapter\src\Storage\AbstractCache.php. This vulnerability allows attackers to execute arbitrary...Show more ThinkPHP v6.0.12 was discovered to contain a deserialization vulnerability via the component vendor\league\flysystem-cached-adapter\src\Storage\AbstractCache.php. This vulnerability allows attackers to execute arbitrary code via a crafted payload.Show less
CVE-2021-23592 1Thinkphp 1Thinkphp Nov 21, 2024 May 6, 2022 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 The package topthink/framework before 6.0.12 are vulnerable to Deserialization of Untrusted Data due to insecure unserialize method in the Driver class.
CVE-2022-25481 1Thinkphp 1Thinkphp Nov 21, 2024 Mar 21, 2022 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 ThinkPHP Framework v5.0.24 was discovered to be configured without the PATHINFO parameter. This allows attackers to access all system environment parameters from index.php. NOTE: this is disputed by a third party because...Show more ThinkPHP Framework v5.0.24 was discovered to be configured without the PATHINFO parameter. This allows attackers to access all system environment parameters from index.php. NOTE: this is disputed by a third party because system environment exposure is an intended feature of the debugging mode.Show less
CVE-2021-44892 1Thinkphp 1Thinkphp Nov 21, 2024 Feb 10, 2022 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 A Remote Code Execution (RCE) vulnerability exists in ThinkPHP 3.x.x via value[_filename] in index.php, which could let a malicious user obtain server control privileges.
CVE-2021-44350 1Thinkphp 1Thinkphp Nov 21, 2024 Dec 15, 2021 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 SQL Injection vulnerability exists in ThinkPHP5 5.0.x <=5.1.22 via the parseOrder function in Builder.php.
CVE-2021-36567 1Thinkphp 1Thinkphp Nov 21, 2024 Dec 6, 2021 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 ThinkPHP v6.0.8 was discovered to contain a deserialization vulnerability via the component League\Flysystem\Cached\Storage\AbstractCache.
CVE-2021-36564 1Thinkphp 1Thinkphp Nov 21, 2024 Dec 6, 2021 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 ThinkPHP v6.0.8 was discovered to contain a deserialization vulnerability via the component vendor\league\flysystem-cached-adapter\src\Storage\Adapter.php.
CVE-2020-20120 1Thinkphp 1Thinkphp Nov 21, 2024 Sep 28, 2021 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 ThinkPHP v3.2.3 and below contains a SQL injection vulnerability which is triggered when the array is not passed to the "where" and "query" methods.

12 Next