Thinkphp
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Thinkphp.
Known Exploited Thinkphp Vulnerabilities
The following Thinkphp vulnerabilities have been marked by CISA as Known to be Exploited by threat actors.
| Title | Description | Added |
|---|---|---|
| ThinkPHP Remote Code Execution Vulnerability |
ThinkPHP before 3.2.4, as used in Open Source BMS v1.1.1 and other products, allows Remote Command Execution via public//?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]= followed by the command. CVE-2019-9082 Exploit Probability: 94.2% |
November 3, 2021 |
The vulnerability CVE-2019-9082: ThinkPHP Remote Code Execution Vulnerability is in the top 1% of the currently known exploitable vulnerabilities.
By the Year
In 2026 there have been 1 vulnerability in Thinkphp with an average score of 9.8 out of ten. Last year, in 2025 Thinkphp had 4 security vulnerabilities published. Right now, Thinkphp is on track to have less security vulnerabilities in 2026 than it did last year. However, the average CVE base score of the vulnerabilities in 2026 is greater by 1.15.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 1 | 9.80 |
| 2025 | 4 | 8.65 |
| 2024 | 3 | 9.80 |
| 2023 | 1 | 9.80 |
| 2022 | 7 | 9.19 |
| 2021 | 4 | 9.80 |
| 2020 | 0 | 0.00 |
| 2019 | 1 | 8.80 |
| 2018 | 6 | 9.80 |
It may take a day or so for new Thinkphp vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Thinkphp Security Vulnerabilities
ThinkPHP 5.0.23 RCE via Routing Param in index.php
CVE-2018-25270
9.8 - Critical
- April 22, 2026
ThinkPHP 5.0.23 contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary PHP code by invoking functions through the routing parameter. Attackers can craft requests to the index.php endpoint with malicious function parameters to execute system commands with application privileges.
Insecure Direct Object Reference / IDOR
ThinkPHP 5.0.24 RCE via File Template Driver
CVE-2025-63888
9.8 - Critical
- November 20, 2025
The read function in file thinkphp\library\think\template\driver\File.php in ThinkPHP 5.0.24 contains a remote code execution vulnerability.
Remote file include
ThinkPHP 5.0.24 Template fetch File Read via Malicious Path
CVE-2025-63889
7.5 - High
- November 20, 2025
The fetch function in file thinkphp\library\think\Template.php in ThinkPHP 5.0.24 allows attackers to read arbitrary files via crafted file path in a template value.
Out-of-bounds Read
ThinkPHP3 v3.2.5 RCE via index.php
CVE-2025-50707
- August 05, 2025
An issue in thinkphp3 v.3.2.5 allows a remote attacker to execute arbitrary code via the index.php component
ThinkPHP 5.1 RCE via routecheck function
CVE-2025-50706
- August 05, 2025
An issue in thinkphp v.5.1 allows a remote attacker to execute arbitrary code via the routecheck function
ThinkPHP Deserialization Vulnerability in Controller\Index.php v6.1.3v8.0.4
CVE-2024-48112
- October 30, 2024
A deserialization vulnerability in the component \controller\Index.php of Thinkphp v6.1.3 to v8.0.4 allows attackers to execute arbitrary code.
ThinkPHP v6.1.3-v8.0.4 Deserialization RCE
CVE-2024-44902
9.8 - Critical
- September 09, 2024
A deserialization vulnerability in Thinkphp v6.1.3 to v8.0.4 allows attackers to execute arbitrary code.
Marshaling, Unmarshaling
XSS in ThinkPHP 8.0.3 via think_exception.tpl function args
CVE-2024-34467
- May 04, 2024
ThinkPHP 8.0.3 allows remote attackers to exploit XSS due to inadequate filtering of function argument values in think_exception.tpl.
ThinkPHP 6.x Deserialization Vulnerability (CVE-2022-45982)
CVE-2022-45982
9.8 - Critical
- February 08, 2023
thinkphp 6.0.0~6.0.13 and 6.1.0~6.1.1 contains a deserialization vulnerability. This vulnerability allows attackers to execute arbitrary code via a crafted payload.
Marshaling, Unmarshaling
ThinkPHP 6.0 LFI via lang param pre6.0.14
CVE-2022-47945
9.8 - Critical
- December 23, 2022
ThinkPHP Framework before 6.0.14 allows local file inclusion via the lang parameter when the language pack feature is enabled (lang_switch_on=true). An unauthenticated and remote attacker can exploit this to execute arbitrary operating system commands, as demonstrated by including pearcmd.php.
Directory traversal
ThinkPHP 5.1.41/5.0.24 File Upload GetShell via Logic Error
CVE-2022-44289
8.8 - High
- December 06, 2022
Thinkphp 5.1.41 and 5.0.24 has a code logic error which causes file upload getshell.
Unrestricted File Upload
Deserialization RCE in ThinkPHP v6.0.13 via League Flysystem Psr6Cache
CVE-2022-38352
9.8 - Critical
- September 15, 2022
ThinkPHP v6.0.13 was discovered to contain a deserialization vulnerability via the component League\Flysystem\Cached\Storage\Psr6Cache. This vulnerability allows attackers to execute arbitrary code via a crafted payload.
Marshaling, Unmarshaling
ThinkPHP v6.0.12 was discovered to contain a deserialization vulnerability
CVE-2022-33107
9.8 - Critical
- June 29, 2022
ThinkPHP v6.0.12 was discovered to contain a deserialization vulnerability via the component vendor\league\flysystem-cached-adapter\src\Storage\AbstractCache.php. This vulnerability allows attackers to execute arbitrary code via a crafted payload.
Marshaling, Unmarshaling
The package topthink/framework before 6.0.12 are vulnerable to Deserialization of Untrusted Data due to insecure unserialize method in the Driver class.
CVE-2021-23592
9.8 - Critical
- May 06, 2022
The package topthink/framework before 6.0.12 are vulnerable to Deserialization of Untrusted Data due to insecure unserialize method in the Driver class.
Marshaling, Unmarshaling
ThinkPHP Framework v5.0.24 was discovered to be configured without the PATHINFO parameter
CVE-2022-25481
7.5 - High
- March 21, 2022
ThinkPHP Framework v5.0.24 was discovered to be configured without the PATHINFO parameter. This allows attackers to access all system environment parameters from index.php. NOTE: this is disputed by a third party because system environment exposure is an intended feature of the debugging mode.
Exposure of Resource to Wrong Sphere
A Remote Code Execution (RCE) vulnerability exists in ThinkPHP 3.x.x
CVE-2021-44892
8.8 - High
- February 10, 2022
A Remote Code Execution (RCE) vulnerability exists in ThinkPHP 3.x.x via value[_filename] in index.php, which could let a malicious user obtain server control privileges.
SQL Injection vulnerability exists in ThinkPHP5 5.0.x <=5.1.22
CVE-2021-44350
9.8 - Critical
- December 15, 2021
SQL Injection vulnerability exists in ThinkPHP5 5.0.x <=5.1.22 via the parseOrder function in Builder.php.
SQL Injection
ThinkPHP v6.0.8 was discovered to contain a deserialization vulnerability
CVE-2021-36564
9.8 - Critical
- December 06, 2021
ThinkPHP v6.0.8 was discovered to contain a deserialization vulnerability via the component vendor\league\flysystem-cached-adapter\src\Storage\Adapter.php.
Marshaling, Unmarshaling
ThinkPHP v6.0.8 was discovered to contain a deserialization vulnerability
CVE-2021-36567
9.8 - Critical
- December 06, 2021
ThinkPHP v6.0.8 was discovered to contain a deserialization vulnerability via the component League\Flysystem\Cached\Storage\AbstractCache.
Marshaling, Unmarshaling
ThinkPHP v3.2.3 and below contains a SQL injection vulnerability
CVE-2020-20120
9.8 - Critical
- September 28, 2021
ThinkPHP v3.2.3 and below contains a SQL injection vulnerability which is triggered when the array is not passed to the "where" and "query" methods.
SQL Injection
ThinkPHP before 3.2.4, as used in Open Source BMS v1.1.1 and other products
CVE-2019-9082
8.8 - High
- February 24, 2019
ThinkPHP before 3.2.4, as used in Open Source BMS v1.1.1 and other products, allows Remote Command Execution via public//?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]= followed by the command.
Missing Authentication for Critical Function
ThinkPHP 3.2.4 has SQL Injection via the order parameter
CVE-2018-18546
9.8 - Critical
- October 21, 2018
ThinkPHP 3.2.4 has SQL Injection via the order parameter because the Library/Think/Db/Driver.class.php parseOrder function mishandles the key variable.
SQL Injection
ThinkPHP 5.1.25 has SQL Injection via the count parameter
CVE-2018-18530
9.8 - Critical
- October 19, 2018
ThinkPHP 5.1.25 has SQL Injection via the count parameter because the library/think/db/Query.php aggregate function mishandles the aggregate variable. NOTE: a backquote character is required in the attack URI.
SQL Injection
ThinkPHP 3.2.4 has SQL Injection via the count parameter
CVE-2018-18529
9.8 - Critical
- October 19, 2018
ThinkPHP 3.2.4 has SQL Injection via the count parameter because the Library/Think/Db/Driver/Mysql.class.php parseKey function mishandles the key variable. NOTE: a backquote character is not required in the attack URI.
SQL Injection
In ThinkPHP 5.1.24, the inner function delete
CVE-2018-17566
9.8 - Critical
- September 26, 2018
In ThinkPHP 5.1.24, the inner function delete can be used for SQL injection when its WHERE condition's value can be controlled by a user's request.
SQL Injection
ThinkPHP before 5.1.23
CVE-2018-16385
9.8 - Critical
- September 03, 2018
ThinkPHP before 5.1.23 allows SQL Injection via the public/index/index/test/index query string.
SQL Injection
thinkphp 3.1.3 has SQL Injection
CVE-2018-10225
- April 19, 2018
thinkphp 3.1.3 has SQL Injection via the index.php s parameter.
