Critical severity9.8NVD Advisory· Published Apr 22, 2026· Updated Apr 27, 2026

CVE-2018-25270

Description

ThinkPHP 5.0.23 contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary PHP code by invoking functions through the routing parameter. Attackers can craft requests to the index.php endpoint with malicious function parameters to execute system commands with application privileges.

Affected products

Thinkphp/Thinkphp2 versions
cpe:2.3:a:thinkphp:thinkphp:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:thinkphp:thinkphp:*:*:*:*:*:*:*:*range: >=5.0.0,<5.0.23
- cpe:2.3:a:thinkphp:thinkphp:5.1.31:*:*:*:*:*:*:*

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www.exploit-db.com/exploits/45978nvdExploitThird Party AdvisoryVDB Entry
www.vulncheck.com/advisories/thinkphp-remote-code-execution-via-invokefunctionnvdThird Party Advisory
thinkphp.cnnvdBroken Link

News mentions

No linked articles in our index yet.

cvss	0.637
epss	0.001
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000