VYPR
Vendor

Thinkphp

Products
1
CVEs
14
Across products
14
Status
Private

Products

1

Recent CVEs

14
  • CVE-2018-25270CriApr 22, 2026
    risk 0.57cvss 9.8epss 0.01

    ThinkPHP 5.0.23 contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary PHP code by invoking functions through the routing parameter. Attackers can craft requests to the index.php endpoint with malicious function parameters to…

  • CVE-2019-9082KEVFeb 24, 2019
    risk 0.23cvss epss 0.97

    ThinkPHP before 3.2.4, as used in Open Source BMS v1.1.1 and other products, allows Remote Command Execution via public//?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]= followed by the command.

  • CVE-2024-44902Sep 9, 2024
    risk 0.07cvss epss 0.04

    A deserialization vulnerability in Thinkphp v6.1.3 to v8.0.4 allows attackers to execute arbitrary code.

  • CVE-2022-33107Jun 29, 2022
    risk 0.02cvss epss 0.22

    ThinkPHP v6.0.12 was discovered to contain a deserialization vulnerability via the component vendor\league\flysystem-cached-adapter\src\Storage\AbstractCache.php. This vulnerability allows attackers to execute arbitrary code via a crafted payload.

  • CVE-2025-63889Nov 20, 2025
    risk 0.00cvss epss 0.00

    The fetch function in file thinkphp\library\think\Template.php in ThinkPHP 5.0.24 allows attackers to read arbitrary files via crafted file path in a template value.

  • CVE-2025-63888Nov 20, 2025
    risk 0.00cvss epss 0.01

    The read function in file thinkphp\library\think\template\driver\File.php in ThinkPHP 5.0.24 contains a remote code execution vulnerability.

  • CVE-2025-50706Aug 5, 2025
    risk 0.00cvss epss 0.01

    An issue in thinkphp v.5.1 allows a remote attacker to execute arbitrary code via the routecheck function

  • CVE-2025-50707Aug 5, 2025
    risk 0.00cvss epss 0.01

    An issue in thinkphp3 v.3.2.5 allows a remote attacker to execute arbitrary code via the index.php component

  • CVE-2024-48112Oct 30, 2024
    risk 0.00cvss epss 0.01

    A deserialization vulnerability in the component \controller\Index.php of Thinkphp v6.1.3 to v8.0.4 allows attackers to execute arbitrary code.

  • CVE-2024-34467May 4, 2024
    risk 0.00cvss epss 0.00

    ThinkPHP 8.0.3 allows remote attackers to exploit XSS due to inadequate filtering of function argument values in think_exception.tpl.

  • CVE-2022-45982Feb 8, 2023
    risk 0.00cvss epss 0.01

    thinkphp 6.0.0~6.0.13 and 6.1.0~6.1.1 contains a deserialization vulnerability. This vulnerability allows attackers to execute arbitrary code via a crafted payload.

  • CVE-2022-44289Dec 6, 2022
    risk 0.00cvss epss 0.03

    Thinkphp 5.1.41 and 5.0.24 has a code logic error which causes file upload getshell.

  • CVE-2022-38352Sep 15, 2022
    risk 0.00cvss epss 0.20

    ThinkPHP v6.0.13 was discovered to contain a deserialization vulnerability via the component League\Flysystem\Cached\Storage\Psr6Cache. This vulnerability allows attackers to execute arbitrary code via a crafted payload.

  • CVE-2021-44892Feb 10, 2022
    risk 0.00cvss epss 0.02

    A Remote Code Execution (RCE) vulnerability exists in ThinkPHP 3.x.x via value[_filename] in index.php, which could let a malicious user obtain server control privileges.