CVE-2018-25270

CRITICAL CVSS 9.8 View on NVD ↗

Description

ThinkPHP 5.0.23 contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary PHP code by invoking functions through the routing parameter. Attackers can craft requests to the index.php endpoint with malicious function parameters to execute system commands with application privileges.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

https://github.com/top-think/framework/
https://thinkphp.cn
https://www.exploit-db.com/exploits/45978
https://www.vulncheck.com/advisories/thinkphp-remote-code-execution-via-invokefunction

Published: Apr 22, 2026 16:16 UTC Modified: Apr 22, 2026 21:23 UTC