Packagist (Composer) package
topthink/framework
pkg:composer/topthink/framework
Vulnerabilities (19)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-50706 | — | <= 5.1.41 | — | Aug 5, 2025 | An issue in thinkphp v.5.1 allows a remote attacker to execute arbitrary code via the routecheck function | ||
| CVE-2024-44902 | — | >= 6.1.3, <= 8.0.4 | — | Sep 9, 2024 | A deserialization vulnerability in Thinkphp v6.1.3 to v8.0.4 allows attackers to execute arbitrary code. | ||
| CVE-2024-34467 | — | >= 8.0.0, < 8.0.4 | 8.0.4 | May 4, 2024 | ThinkPHP 8.0.3 allows remote attackers to exploit XSS due to inadequate filtering of function argument values in think_exception.tpl. | ||
| CVE-2022-47945 | — | < 6.0.14 | 6.0.14 | Dec 23, 2022 | ThinkPHP Framework before 6.0.14 allows local file inclusion via the lang parameter when the language pack feature is enabled (lang_switch_on=true). An unauthenticated and remote attacker can exploit this to execute arbitrary operating system commands, as demonstrated by includin | ||
| CVE-2022-44289 | — | <= 5.0.24 | — | Dec 6, 2022 | Thinkphp 5.1.41 and 5.0.24 has a code logic error which causes file upload getshell. | ||
| CVE-2022-38352 | — | <= 6.0.13 | — | Sep 15, 2022 | ThinkPHP v6.0.13 was discovered to contain a deserialization vulnerability via the component League\Flysystem\Cached\Storage\Psr6Cache. This vulnerability allows attackers to execute arbitrary code via a crafted payload. | ||
| CVE-2022-33107 | — | <= 6.0.12 | — | Jun 29, 2022 | ThinkPHP v6.0.12 was discovered to contain a deserialization vulnerability via the component vendor\league\flysystem-cached-adapter\src\Storage\AbstractCache.php. This vulnerability allows attackers to execute arbitrary code via a crafted payload. | ||
| CVE-2021-23592 | — | < 6.0.12 | 6.0.12 | May 6, 2022 | The package topthink/framework before 6.0.12 are vulnerable to Deserialization of Untrusted Data due to insecure unserialize method in the Driver class. | ||
| CVE-2022-25481 | — | <= 5.0.24 | — | Mar 20, 2022 | ThinkPHP Framework v5.0.24 was discovered to be configured without the PATHINFO parameter. This allows attackers to access all system environment parameters from index.php. NOTE: this is disputed by a third party because system environment exposure is an intended feature of the d | ||
| CVE-2021-44892 | — | <= 3.2.3 | — | Feb 10, 2022 | A Remote Code Execution (RCE) vulnerability exists in ThinkPHP 3.x.x via value[_filename] in index.php, which could let a malicious user obtain server control privileges. | ||
| CVE-2021-44350 | — | >= 5.0, <= 5.1.22 | — | Dec 15, 2021 | SQL Injection vulnerability exists in ThinkPHP5 5.0.x <=5.1.22 via the parseOrder function in Builder.php. | ||
| CVE-2021-36567 | — | <= 6.0.8 | — | Dec 6, 2021 | ThinkPHP v6.0.8 was discovered to contain a deserialization vulnerability via the component League\Flysystem\Cached\Storage\AbstractCache. | ||
| CVE-2021-36564 | — | < 6.0.9 | 6.0.9 | Dec 6, 2021 | ThinkPHP v6.0.8 was discovered to contain a deserialization vulnerability via the component vendor\league\flysystem-cached-adapter\src\Storage\Adapter.php. | ||
| CVE-2018-18546 | — | <= 3.2.4 | — | Oct 21, 2018 | ThinkPHP 3.2.4 has SQL Injection via the order parameter because the Library/Think/Db/Driver.class.php parseOrder function mishandles the key variable. | ||
| CVE-2018-18530 | — | <= 5.1.25 | — | Oct 19, 2018 | ThinkPHP 5.1.25 has SQL Injection via the count parameter because the library/think/db/Query.php aggregate function mishandles the aggregate variable. NOTE: a backquote character is required in the attack URI. | ||
| CVE-2018-18529 | — | <= 3.2.4 | — | Oct 19, 2018 | ThinkPHP 3.2.4 has SQL Injection via the count parameter because the Library/Think/Db/Driver/Mysql.class.php parseKey function mishandles the key variable. NOTE: a backquote character is not required in the attack URI. | ||
| CVE-2018-17566 | Cri | 9.8 | — | — | Sep 26, 2018 | In ThinkPHP 5.1.24, the inner function delete can be used for SQL injection when its WHERE condition's value can be controlled by a user's request. | |
| CVE-2018-16385 | Cri | 9.8 | < 5.1.23 | 5.1.23 | Sep 3, 2018 | ThinkPHP before 5.1.23 allows SQL Injection via the public/index/index/test/index query string. | |
| CVE-2018-10225 | Cri | 9.8 | — | — | Apr 19, 2018 | thinkphp 3.1.3 has SQL Injection via the index.php s parameter. |
- CVE-2025-50706Aug 5, 2025affected <= 5.1.41
An issue in thinkphp v.5.1 allows a remote attacker to execute arbitrary code via the routecheck function
- CVE-2024-44902Sep 9, 2024affected >= 6.1.3, <= 8.0.4
A deserialization vulnerability in Thinkphp v6.1.3 to v8.0.4 allows attackers to execute arbitrary code.
- CVE-2024-34467May 4, 2024affected >= 8.0.0, < 8.0.4fixed 8.0.4
ThinkPHP 8.0.3 allows remote attackers to exploit XSS due to inadequate filtering of function argument values in think_exception.tpl.
- CVE-2022-47945Dec 23, 2022affected < 6.0.14fixed 6.0.14
ThinkPHP Framework before 6.0.14 allows local file inclusion via the lang parameter when the language pack feature is enabled (lang_switch_on=true). An unauthenticated and remote attacker can exploit this to execute arbitrary operating system commands, as demonstrated by includin
- CVE-2022-44289Dec 6, 2022affected <= 5.0.24
Thinkphp 5.1.41 and 5.0.24 has a code logic error which causes file upload getshell.
- CVE-2022-38352Sep 15, 2022affected <= 6.0.13
ThinkPHP v6.0.13 was discovered to contain a deserialization vulnerability via the component League\Flysystem\Cached\Storage\Psr6Cache. This vulnerability allows attackers to execute arbitrary code via a crafted payload.
- CVE-2022-33107Jun 29, 2022affected <= 6.0.12
ThinkPHP v6.0.12 was discovered to contain a deserialization vulnerability via the component vendor\league\flysystem-cached-adapter\src\Storage\AbstractCache.php. This vulnerability allows attackers to execute arbitrary code via a crafted payload.
- CVE-2021-23592May 6, 2022affected < 6.0.12fixed 6.0.12
The package topthink/framework before 6.0.12 are vulnerable to Deserialization of Untrusted Data due to insecure unserialize method in the Driver class.
- CVE-2022-25481Mar 20, 2022affected <= 5.0.24
ThinkPHP Framework v5.0.24 was discovered to be configured without the PATHINFO parameter. This allows attackers to access all system environment parameters from index.php. NOTE: this is disputed by a third party because system environment exposure is an intended feature of the d
- CVE-2021-44892Feb 10, 2022affected <= 3.2.3
A Remote Code Execution (RCE) vulnerability exists in ThinkPHP 3.x.x via value[_filename] in index.php, which could let a malicious user obtain server control privileges.
- CVE-2021-44350Dec 15, 2021affected >= 5.0, <= 5.1.22
SQL Injection vulnerability exists in ThinkPHP5 5.0.x <=5.1.22 via the parseOrder function in Builder.php.
- CVE-2021-36567Dec 6, 2021affected <= 6.0.8
ThinkPHP v6.0.8 was discovered to contain a deserialization vulnerability via the component League\Flysystem\Cached\Storage\AbstractCache.
- CVE-2021-36564Dec 6, 2021affected < 6.0.9fixed 6.0.9
ThinkPHP v6.0.8 was discovered to contain a deserialization vulnerability via the component vendor\league\flysystem-cached-adapter\src\Storage\Adapter.php.
- CVE-2018-18546Oct 21, 2018affected <= 3.2.4
ThinkPHP 3.2.4 has SQL Injection via the order parameter because the Library/Think/Db/Driver.class.php parseOrder function mishandles the key variable.
- CVE-2018-18530Oct 19, 2018affected <= 5.1.25
ThinkPHP 5.1.25 has SQL Injection via the count parameter because the library/think/db/Query.php aggregate function mishandles the aggregate variable. NOTE: a backquote character is required in the attack URI.
- CVE-2018-18529Oct 19, 2018affected <= 3.2.4
ThinkPHP 3.2.4 has SQL Injection via the count parameter because the Library/Think/Db/Driver/Mysql.class.php parseKey function mishandles the key variable. NOTE: a backquote character is not required in the attack URI.
In ThinkPHP 5.1.24, the inner function delete can be used for SQL injection when its WHERE condition's value can be controlled by a user's request.
- affected < 5.1.23fixed 5.1.23
ThinkPHP before 5.1.23 allows SQL Injection via the public/index/index/test/index query string.
thinkphp 3.1.3 has SQL Injection via the index.php s parameter.