CyberSec.Space Logo
返回 CVE 浏览器

CVE-2018-25270

CRITICAL
9.8
CVSS Severity Score
EPSS Score0.0410%
EPSS Percentile27.53th
Published2026年4月22日
Last Modified2026年4月27日

Vulnerability Description

ThinkPHP 5.0.23 contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary PHP code by invoking functions through the routing parameter. Attackers can craft requests to the index.php endpoint with malicious function parameters to execute system commands with application privileges.

Affected Platforms (CPE)

📦
Thinkphp

Thinkphp

>= 5.0.0 and < 5.0.23
📦
Thinkphp

Thinkphp

= 5.1.31

References & Advisories

🔗 https://github.com/top-think/framework/
🔗 https://thinkphp.cn
🔗 https://www.exploit-db.com/exploits/45978
🔗 https://www.vulncheck.com/advisories/thinkphp-remote-code-execution-via-invokefunction

相关漏洞威胁

CVE-2021-365649.8

ThinkPHP v6.0.8 was discovered to contain a deserialization vulnerability via the component vendor\league\flysystem-cached-adapter...

CVE-2020-201209.8

ThinkPHP v3.2.3 and below contains a SQL injection vulnerability which is triggered when the array is not passed to the "where" an...

CVE-2020-197059.8

thinkphp-zcms as of 20190715 allows SQL injection via index.php?m=home&c=message&a=add.

CVE-2021-365679.8

ThinkPHP v6.0.8 was discovered to contain a deserialization vulnerability via the component League\Flysystem\Cached\Storage\Abstra...