The fetch function in file thinkphp\library\think\Template.php in ThinkPHP 5.0.24 allows attackers to read arbitrary files via crafted file path in a template value.
CVSS
7.5
HIGH
Published
Nov 20, 2025
Loading
Vendor coverage
Track published CVEs, severity trends, and remediation context for thinkphp products.
Search results
Showing 1-26 of 26 vulnerabilities.
The fetch function in file thinkphp\library\think\Template.php in ThinkPHP 5.0.24 allows attackers to read arbitrary files via crafted file path in a template value.
CVSS
7.5
HIGH
Published
Nov 20, 2025
The read function in file thinkphp\library\think\template\driver\File.php in ThinkPHP 5.0.24 contains a remote code execution vulnerability.
CVSS
9.8
CRITICAL
Published
Nov 20, 2025
An issue in thinkphp3 v.3.2.5 allows a remote attacker to execute arbitrary code via the index.php component
CVSS
9.8
CRITICAL
Published
Aug 5, 2025
An issue in thinkphp v.5.1 allows a remote attacker to execute arbitrary code via the routecheck function
CVSS
9.8
CRITICAL
Published
Aug 5, 2025
A deserialization vulnerability in the component \controller\Index.php of Thinkphp v6.1.3 to v8.0.4 allows attackers to execute arbitrary code.
CVSS
9.8
CRITICAL
Published
Oct 30, 2024
A deserialization vulnerability in Thinkphp v6.1.3 to v8.0.4 allows attackers to execute arbitrary code.
CVSS
9.8
CRITICAL
Published
Sep 9, 2024
ThinkPHP 8.0.3 allows remote attackers to exploit XSS due to inadequate filtering of function argument values in think_exception.tpl.
CVSS
6.1
MEDIUM
Published
May 4, 2024
thinkphp 6.0.0~6.0.13 and 6.1.0~6.1.1 contains a deserialization vulnerability. This vulnerability allows attackers to execute arbitrary code via a crafted payload.
CVSS
9.8
CRITICAL
Published
Feb 8, 2023
ThinkPHP Framework before 6.0.14 allows local file inclusion via the lang parameter when the language pack feature is enabled (lang_switch_on=true). An unauthenticated and remote attacker can exploit this to execute arbitrary operating system commands, as demonstrated by including pearcmd.php.
CVSS
9.8
CRITICAL
Published
Dec 23, 2022
Thinkphp 5.1.41 and 5.0.24 has a code logic error which causes file upload getshell.
CVSS
8.8
HIGH
Published
Dec 6, 2022
ThinkPHP v6.0.13 was discovered to contain a deserialization vulnerability via the component League\Flysystem\Cached\Storage\Psr6Cache. This vulnerability allows attackers to execute arbitrary code via a crafted payload.
CVSS
9.8
CRITICAL
Published
Sep 15, 2022
ThinkPHP v6.0.12 was discovered to contain a deserialization vulnerability via the component vendor\league\flysystem-cached-adapter\src\Storage\AbstractCache.php. This vulnerability allows attackers to execute arbitrary code via a crafted payload.
CVSS
9.8
CRITICAL
Published
Jun 29, 2022
The package topthink/framework before 6.0.12 are vulnerable to Deserialization of Untrusted Data due to insecure unserialize method in the Driver class.
CVSS
7.7
HIGH
Published
May 6, 2022
ThinkPHP Framework v5.0.24 was discovered to be configured without the PATHINFO parameter. This allows attackers to access all system environment parameters from index.php. NOTE: this is disputed by a third party because system environment exposure is an intended feature of the debugging mode.
CVSS
7.5
HIGH
Published
Mar 21, 2022
A Remote Code Execution (RCE) vulnerability exists in ThinkPHP 3.x.x via value[_filename] in index.php, which could let a malicious user obtain server control privileges.
CVSS
8.8
HIGH
Published
Feb 10, 2022
SQL Injection vulnerability exists in ThinkPHP5 5.0.x <=5.1.22 via the parseOrder function in Builder.php.
CVSS
9.8
CRITICAL
Published
Dec 15, 2021
ThinkPHP v6.0.8 was discovered to contain a deserialization vulnerability via the component League\Flysystem\Cached\Storage\AbstractCache.
CVSS
9.8
CRITICAL
Published
Dec 6, 2021
ThinkPHP v6.0.8 was discovered to contain a deserialization vulnerability via the component vendor\league\flysystem-cached-adapter\src\Storage\Adapter.php.
CVSS
9.8
CRITICAL
Published
Dec 6, 2021
ThinkPHP v3.2.3 and below contains a SQL injection vulnerability which is triggered when the array is not passed to the "where" and "query" methods.
CVSS
9.8
CRITICAL
Published
Sep 28, 2021
ThinkPHP before 3.2.4, as used in Open Source BMS v1.1.1 and other products, allows Remote Command Execution via public//?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]= followed by the command.
CVSS
8.8
HIGH
Published
Feb 24, 2019
ThinkPHP 3.2.4 has SQL Injection via the order parameter because the Library/Think/Db/Driver.class.php parseOrder function mishandles the key variable.
CVSS
9.8
CRITICAL
Published
Oct 21, 2018
ThinkPHP 5.1.25 has SQL Injection via the count parameter because the library/think/db/Query.php aggregate function mishandles the aggregate variable. NOTE: a backquote character is required in the attack URI.
CVSS
9.8
CRITICAL
Published
Oct 19, 2018
ThinkPHP 3.2.4 has SQL Injection via the count parameter because the Library/Think/Db/Driver/Mysql.class.php parseKey function mishandles the key variable. NOTE: a backquote character is not required in the attack URI.
CVSS
9.8
CRITICAL
Published
Oct 19, 2018
In ThinkPHP 5.1.24, the inner function delete can be used for SQL injection when its WHERE condition's value can be controlled by a user's request.
CVSS
9.8
CRITICAL
Published
Sep 26, 2018
ThinkPHP before 5.1.23 allows SQL Injection via the public/index/index/test/index query string.
CVSS
9.8
CRITICAL
Published
Sep 3, 2018
thinkphp 3.1.3 has SQL Injection via the index.php s parameter.
CVSS
9.8
CRITICAL
Published
Apr 19, 2018