Export CSV

Products

1 vendor
VendorProductsCVEsKEVAvg EPSSWorst Severity
127161.8%CRITICAL

Related CVEs

27
CVE IDDescriptionSeverityCVSSKEVEPSSPublished
CVE-2018-25270ThinkPHP 5.0.23 contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary PHP code by invoking functions through the routing parameter. Attackers can craft requests to the index.php endpoint with malicious function parameters to execute system commands with application privileges.CRITICAL9.354.9%Apr 22, 2026
CVE-2025-63889The fetch function in file thinkphp\library\think\Template.php in ThinkPHP 5.0.24 allows attackers to read arbitrary files via crafted file path in a template value.HIGH7.517.8%Nov 20, 2025
CVE-2025-63888The read function in file thinkphp\library\think\template\driver\File.php in ThinkPHP 5.0.24 contains a remote code execution vulnerability.CRITICAL9.838.7%Nov 20, 2025
CVE-2025-50707An issue in thinkphp3 v.3.2.5 allows a remote attacker to execute arbitrary code via the index.php componentCRITICAL9.858.0%Aug 5, 2025
CVE-2025-50706An issue in thinkphp v.5.1 allows a remote attacker to execute arbitrary code via the routecheck functionCRITICAL9.858.0%Aug 5, 2025
CVE-2024-48112A deserialization vulnerability in the component \controller\Index.php of Thinkphp v6.1.3 to v8.0.4 allows attackers to execute arbitrary code.CRITICAL9.853.9%Oct 30, 2024
CVE-2024-44902A deserialization vulnerability in Thinkphp v6.1.3 to v8.0.4 allows attackers to execute arbitrary code.CRITICAL9.889.9%Sep 9, 2024
CVE-2024-34467ThinkPHP 8.0.3 allows remote attackers to exploit XSS due to inadequate filtering of function argument values in think_exception.tpl.MEDIUM6.133.4%May 4, 2024
CVE-2022-45982thinkphp 6.0.0~6.0.13 and 6.1.0~6.1.1 contains a deserialization vulnerability. This vulnerability allows attackers to execute arbitrary code via a crafted payload.CRITICAL9.8Feb 8, 2023
CVE-2022-47945ThinkPHP Framework before 6.0.14 allows local file inclusion via the lang parameter when the language pack feature is enabled (lang_switch_on=true). An unauthenticated and remote attacker can exploit this to execute arbitrary operating system commands, as demonstrated by including pearcmd.php.CRITICAL9.8Dec 23, 2022
CVE-2022-44289Thinkphp 5.1.41 and 5.0.24 has a code logic error which causes file upload getshell.HIGH8.8Dec 6, 2022
CVE-2022-38352ThinkPHP v6.0.13 was discovered to contain a deserialization vulnerability via the component League\Flysystem\Cached\Storage\Psr6Cache. This vulnerability allows attackers to execute arbitrary code via a crafted payload.CRITICAL9.8Sep 15, 2022
CVE-2022-33107ThinkPHP v6.0.12 was discovered to contain a deserialization vulnerability via the component vendor\league\flysystem-cached-adapter\src\Storage\AbstractCache.php. This vulnerability allows attackers to execute arbitrary code via a crafted payload.CRITICAL9.8Jun 29, 2022
CVE-2021-23592The package topthink/framework before 6.0.12 are vulnerable to Deserialization of Untrusted Data due to insecure unserialize method in the Driver class.CRITICAL9.8May 6, 2022
CVE-2022-25481ThinkPHP Framework v5.0.24 was discovered to be configured without the PATHINFO parameter. This allows attackers to access all system environment parameters from index.php. NOTE: this is disputed by a third party because system environment exposure is an intended feature of the debugging mode.HIGH7.5Mar 21, 2022
CVE-2021-44892A Remote Code Execution (RCE) vulnerability exists in ThinkPHP 3.x.x via value[_filename] in index.php, which could let a malicious user obtain server control privileges.HIGH8.8Feb 10, 2022
CVE-2021-44350SQL Injection vulnerability exists in ThinkPHP5 5.0.x <=5.1.22 via the parseOrder function in Builder.php.CRITICAL9.8Dec 15, 2021
CVE-2021-36567ThinkPHP v6.0.8 was discovered to contain a deserialization vulnerability via the component League\Flysystem\Cached\Storage\AbstractCache.CRITICAL9.8Dec 6, 2021
CVE-2021-36564ThinkPHP v6.0.8 was discovered to contain a deserialization vulnerability via the component vendor\league\flysystem-cached-adapter\src\Storage\Adapter.php.CRITICAL9.8Dec 6, 2021
CVE-2020-20120ThinkPHP v3.2.3 and below contains a SQL injection vulnerability which is triggered when the array is not passed to the "where" and "query" methods.CRITICAL9.875.0%Sep 28, 2021