Packagist (Composer) package

topthink/framework

pkg:composer/topthink/framework

Vulnerabilities (19)

CVE	CVSS	Affected versions	Fixed in	Published	Description
CVE-2025-50706	—	<= 5.1.41	—	Aug 5, 2025	An issue in thinkphp v.5.1 allows a remote attacker to execute arbitrary code via the routecheck function
CVE-2024-44902	—	>= 6.1.3, <= 8.0.4	—	Sep 9, 2024	A deserialization vulnerability in Thinkphp v6.1.3 to v8.0.4 allows attackers to execute arbitrary code.
CVE-2024-34467	—	>= 8.0.0, < 8.0.4	8.0.4	May 4, 2024	ThinkPHP 8.0.3 allows remote attackers to exploit XSS due to inadequate filtering of function argument values in think_exception.tpl.
CVE-2022-47945	—	< 6.0.14	6.0.14	Dec 23, 2022	ThinkPHP Framework before 6.0.14 allows local file inclusion via the lang parameter when the language pack feature is enabled (lang_switch_on=true). An unauthenticated and remote attacker can exploit this to execute arbitrary operating system commands, as demonstrated by includin
CVE-2022-44289	—	<= 5.0.24	—	Dec 6, 2022	Thinkphp 5.1.41 and 5.0.24 has a code logic error which causes file upload getshell.
CVE-2022-38352	—	<= 6.0.13	—	Sep 15, 2022	ThinkPHP v6.0.13 was discovered to contain a deserialization vulnerability via the component League\Flysystem\Cached\Storage\Psr6Cache. This vulnerability allows attackers to execute arbitrary code via a crafted payload.
CVE-2022-33107	—	<= 6.0.12	—	Jun 29, 2022	ThinkPHP v6.0.12 was discovered to contain a deserialization vulnerability via the component vendor\league\flysystem-cached-adapter\src\Storage\AbstractCache.php. This vulnerability allows attackers to execute arbitrary code via a crafted payload.
CVE-2021-23592	—	< 6.0.12	6.0.12	May 6, 2022	The package topthink/framework before 6.0.12 are vulnerable to Deserialization of Untrusted Data due to insecure unserialize method in the Driver class.
CVE-2022-25481	—	<= 5.0.24	—	Mar 20, 2022	ThinkPHP Framework v5.0.24 was discovered to be configured without the PATHINFO parameter. This allows attackers to access all system environment parameters from index.php. NOTE: this is disputed by a third party because system environment exposure is an intended feature of the d
CVE-2021-44892	—	<= 3.2.3	—	Feb 10, 2022	A Remote Code Execution (RCE) vulnerability exists in ThinkPHP 3.x.x via value[_filename] in index.php, which could let a malicious user obtain server control privileges.
CVE-2021-44350	—	>= 5.0, <= 5.1.22	—	Dec 15, 2021	SQL Injection vulnerability exists in ThinkPHP5 5.0.x <=5.1.22 via the parseOrder function in Builder.php.
CVE-2021-36567	—	<= 6.0.8	—	Dec 6, 2021	ThinkPHP v6.0.8 was discovered to contain a deserialization vulnerability via the component League\Flysystem\Cached\Storage\AbstractCache.
CVE-2021-36564	—	< 6.0.9	6.0.9	Dec 6, 2021	ThinkPHP v6.0.8 was discovered to contain a deserialization vulnerability via the component vendor\league\flysystem-cached-adapter\src\Storage\Adapter.php.
CVE-2018-18546	—	<= 3.2.4	—	Oct 21, 2018	ThinkPHP 3.2.4 has SQL Injection via the order parameter because the Library/Think/Db/Driver.class.php parseOrder function mishandles the key variable.
CVE-2018-18530	—	<= 5.1.25	—	Oct 19, 2018	ThinkPHP 5.1.25 has SQL Injection via the count parameter because the library/think/db/Query.php aggregate function mishandles the aggregate variable. NOTE: a backquote character is required in the attack URI.
CVE-2018-18529	—	<= 3.2.4	—	Oct 19, 2018	ThinkPHP 3.2.4 has SQL Injection via the count parameter because the Library/Think/Db/Driver/Mysql.class.php parseKey function mishandles the key variable. NOTE: a backquote character is not required in the attack URI.
CVE-2018-17566	—	—	—	Sep 26, 2018	In ThinkPHP 5.1.24, the inner function delete can be used for SQL injection when its WHERE condition's value can be controlled by a user's request.
CVE-2018-16385	—	< 5.1.23	5.1.23	Sep 3, 2018	ThinkPHP before 5.1.23 allows SQL Injection via the public/index/index/test/index query string.
CVE-2018-10225	—	—	—	Apr 19, 2018	thinkphp 3.1.3 has SQL Injection via the index.php s parameter.

CVE-2025-50706Aug 5, 2025
affected <= 5.1.41
An issue in thinkphp v.5.1 allows a remote attacker to execute arbitrary code via the routecheck function
CVE-2024-44902Sep 9, 2024
affected >= 6.1.3, <= 8.0.4
A deserialization vulnerability in Thinkphp v6.1.3 to v8.0.4 allows attackers to execute arbitrary code.
CVE-2024-34467May 4, 2024
affected >= 8.0.0, < 8.0.4fixed 8.0.4
ThinkPHP 8.0.3 allows remote attackers to exploit XSS due to inadequate filtering of function argument values in think_exception.tpl.
CVE-2022-47945Dec 23, 2022
affected < 6.0.14fixed 6.0.14
ThinkPHP Framework before 6.0.14 allows local file inclusion via the lang parameter when the language pack feature is enabled (lang_switch_on=true). An unauthenticated and remote attacker can exploit this to execute arbitrary operating system commands, as demonstrated by includin
CVE-2022-44289Dec 6, 2022
affected <= 5.0.24
Thinkphp 5.1.41 and 5.0.24 has a code logic error which causes file upload getshell.
CVE-2022-38352Sep 15, 2022
affected <= 6.0.13
ThinkPHP v6.0.13 was discovered to contain a deserialization vulnerability via the component League\Flysystem\Cached\Storage\Psr6Cache. This vulnerability allows attackers to execute arbitrary code via a crafted payload.
CVE-2022-33107Jun 29, 2022
affected <= 6.0.12
ThinkPHP v6.0.12 was discovered to contain a deserialization vulnerability via the component vendor\league\flysystem-cached-adapter\src\Storage\AbstractCache.php. This vulnerability allows attackers to execute arbitrary code via a crafted payload.
CVE-2021-23592May 6, 2022
affected < 6.0.12fixed 6.0.12
The package topthink/framework before 6.0.12 are vulnerable to Deserialization of Untrusted Data due to insecure unserialize method in the Driver class.
CVE-2022-25481Mar 20, 2022
affected <= 5.0.24
ThinkPHP Framework v5.0.24 was discovered to be configured without the PATHINFO parameter. This allows attackers to access all system environment parameters from index.php. NOTE: this is disputed by a third party because system environment exposure is an intended feature of the d
CVE-2021-44892Feb 10, 2022
affected <= 3.2.3
A Remote Code Execution (RCE) vulnerability exists in ThinkPHP 3.x.x via value[_filename] in index.php, which could let a malicious user obtain server control privileges.
CVE-2021-44350Dec 15, 2021
affected >= 5.0, <= 5.1.22
SQL Injection vulnerability exists in ThinkPHP5 5.0.x <=5.1.22 via the parseOrder function in Builder.php.
CVE-2021-36567Dec 6, 2021
affected <= 6.0.8
ThinkPHP v6.0.8 was discovered to contain a deserialization vulnerability via the component League\Flysystem\Cached\Storage\AbstractCache.
CVE-2021-36564Dec 6, 2021
affected < 6.0.9fixed 6.0.9
ThinkPHP v6.0.8 was discovered to contain a deserialization vulnerability via the component vendor\league\flysystem-cached-adapter\src\Storage\Adapter.php.
CVE-2018-18546Oct 21, 2018
affected <= 3.2.4
ThinkPHP 3.2.4 has SQL Injection via the order parameter because the Library/Think/Db/Driver.class.php parseOrder function mishandles the key variable.
CVE-2018-18530Oct 19, 2018
affected <= 5.1.25
ThinkPHP 5.1.25 has SQL Injection via the count parameter because the library/think/db/Query.php aggregate function mishandles the aggregate variable. NOTE: a backquote character is required in the attack URI.
CVE-2018-18529Oct 19, 2018
affected <= 3.2.4
ThinkPHP 3.2.4 has SQL Injection via the count parameter because the Library/Think/Db/Driver/Mysql.class.php parseKey function mishandles the key variable. NOTE: a backquote character is not required in the attack URI.
CVE-2018-17566Sep 26, 2018
In ThinkPHP 5.1.24, the inner function delete can be used for SQL injection when its WHERE condition's value can be controlled by a user's request.
CVE-2018-16385Sep 3, 2018
affected < 5.1.23fixed 5.1.23
ThinkPHP before 5.1.23 allows SQL Injection via the public/index/index/test/index query string.
CVE-2018-10225Apr 19, 2018
thinkphp 3.1.3 has SQL Injection via the index.php s parameter.