Shodan
Vulnerabilities
Vulnerable Software
Thinkphp:  Security Vulnerabilities
CVE-2018-25270
ThinkPHP 5.0.23 contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary PHP code by invoking functions through the routing parameter. Attackers can craft requests to the index.php endpoint with malicious function parameters to execute system commands with application privileges.
CVSS Score
9.3
EPSS Score
0.009
Published
2026-04-22
CVE-2025-63889
The fetch function in file thinkphp\library\think\Template.php in ThinkPHP 5.0.24 allows attackers to read arbitrary files via crafted file path in a template value.
CVSS Score
7.5
EPSS Score
0.0
Published
2025-11-20
CVE-2025-63888
The read function in file thinkphp\library\think\template\driver\File.php in ThinkPHP 5.0.24 contains a remote code execution vulnerability.
CVSS Score
9.8
EPSS Score
0.004
Published
2025-11-20
CVE-2025-50707
An issue in thinkphp3 v.3.2.5 allows a remote attacker to execute arbitrary code via the index.php component
CVSS Score
9.8
EPSS Score
0.017
Published
2025-08-05
CVE-2025-50706
An issue in thinkphp v.5.1 allows a remote attacker to execute arbitrary code via the routecheck function
CVSS Score
9.8
EPSS Score
0.017
Published
2025-08-05
CVE-2024-48112
A deserialization vulnerability in the component \controller\Index.php of Thinkphp v6.1.3 to v8.0.4 allows attackers to execute arbitrary code.
CVSS Score
9.8
EPSS Score
0.024
Published
2024-10-30
CVE-2024-44902
A deserialization vulnerability in Thinkphp v6.1.3 to v8.0.4 allows attackers to execute arbitrary code.
CVSS Score
9.8
EPSS Score
0.841
Published
2024-09-09
CVE-2024-34467
ThinkPHP 8.0.3 allows remote attackers to exploit XSS due to inadequate filtering of function argument values in think_exception.tpl.
CVSS Score
6.1
EPSS Score
0.001
Published
2024-05-04
CVE-2022-45982
thinkphp 6.0.0~6.0.13 and 6.1.0~6.1.1 contains a deserialization vulnerability. This vulnerability allows attackers to execute arbitrary code via a crafted payload.
CVSS Score
9.8
EPSS Score
0.048
Published
2023-02-08
CVE-2022-47945
ThinkPHP Framework before 6.0.14 allows local file inclusion via the lang parameter when the language pack feature is enabled (lang_switch_on=true). An unauthenticated and remote attacker can exploit this to execute arbitrary operating system commands, as demonstrated by including pearcmd.php.
CVSS Score
9.8
EPSS Score
0.903
Published
2022-12-23


Products
Pricing
Contact Us

Shodan ® - All rights reserved