Known Vulnerabilities for products from Thinkphp
Listed below are 19 of the newest known vulnerabilities associated with the vendor "Thinkphp".
These CVEs are retrieved based on exact matches on listed vendor information (CPE data) as well as a keyword search to ensure the newest vulnerabilities with no officially listed vendor information are still displayed.
Data on known vulnerable products is also displayed based on information from known CPEs, each product links to its respective vulnerability page.
Known Vulnerabilities
| CVE | Shortened Description | Severity | Publish Date | Last Modified |
|---|---|---|---|---|
| CVE-2022-47945 json | ThinkPHP Framework before 6.0.14 allows local file inclusion via the lang parameter when the language pack feature is enabled... | 9.8 - CRITICAL | 2022-12-23 | 2023-08-08 |
| CVE-2022-45982 json | thinkphp 6.0.0~6.0.13 and 6.1.0~6.1.1 contains a deserialization vulnerability. This vulnerability allows attackers to execut... | 9.8 - CRITICAL | 2023-02-08 | 2023-02-16 |
| CVE-2022-44289 json | Thinkphp 5.1.41 and 5.0.24 has a code logic error which causes file upload getshell. | 8.8 - HIGH | 2022-12-06 | 2022-12-08 |
| CVE-2022-38352 json | ThinkPHP v6.0.13 was discovered to contain a deserialization vulnerability via the component League\Flysystem\Cached\Storage\... | 9.8 - CRITICAL | 2022-09-15 | 2022-09-16 |
| CVE-2022-33107 json | ThinkPHP v6.0.12 was discovered to contain a deserialization vulnerability via the component vendor\league\flysystem-cached-a... | 9.8 - CRITICAL | 2022-06-29 | 2022-07-08 |
| CVE-2022-25481 json | ThinkPHP Framework v5.0.24 was discovered to be configured without the PATHINFO parameter. This allows attackers to access al... | 7.5 - HIGH | 2022-03-21 | 2022-03-29 |
| CVE-2021-44892 json | A Remote Code Execution (RCE) vulnerability exists in ThinkPHP 3.x.x via value[_filename] in index.php, which could let a mal... | 8.8 - HIGH | 2022-02-10 | 2022-02-23 |
| CVE-2021-44350 json | SQL Injection vulnerability exists in ThinkPHP5 5.0.x <=5.1.22 via the parseOrder function in Builder.php. | 9.8 - CRITICAL | 2021-12-15 | 2021-12-20 |
| CVE-2021-36567 json | ThinkPHP v6.0.8 was discovered to contain a deserialization vulnerability via the component League\Flysystem\Cached\Storage\A... | 9.8 - CRITICAL | 2021-12-06 | 2021-12-07 |
| CVE-2021-36564 json | ThinkPHP v6.0.8 was discovered to contain a deserialization vulnerability via the component vendor\league\flysystem-cached-ad... | 9.8 - CRITICAL | 2021-12-06 | 2021-12-07 |
| CVE-2021-23592 json | ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new secur... | 9.8 - CRITICAL | 2022-05-06 | 2022-05-16 |
| CVE-2020-20120 json | ThinkPHP v3.2.3 and below contains a SQL injection vulnerability which is triggered when the array is not passed to the "wher... | 9.8 - CRITICAL | 2021-09-28 | 2021-10-06 |
| CVE-2019-9082 json | ThinkPHP before 3.2.4, as used in Open Source BMS v1.1.1 and other products, allows Remote Command Execution via public//?s=i... | 8.8 - HIGH | 2019-02-24 | 2022-04-05 |
| CVE-2018-25270 json | Not Provided | 2026-04-22 | 2026-04-22 | |
| CVE-2018-18546 json | ThinkPHP 3.2.4 has SQL Injection via the order parameter because the Library/Think/Db/Driver.class.php parseOrder function mi... | 9.8 - CRITICAL | 2018-10-21 | 2018-12-04 |
| CVE-2018-18530 json | ThinkPHP 5.1.25 has SQL Injection via the count parameter because the library/think/db/Query.php aggregate function mishandle... | 9.8 - CRITICAL | 2018-10-19 | 2018-12-04 |
| CVE-2018-18529 json | ThinkPHP 3.2.4 has SQL Injection via the count parameter because the Library/Think/Db/Driver/Mysql.class.php parseKey functio... | 9.8 - CRITICAL | 2018-10-19 | 2018-12-04 |
| CVE-2018-17566 json | In ThinkPHP 5.1.24, the inner function delete can be used for SQL injection when its WHERE condition's value can be controlle... | 9.8 - CRITICAL | 2018-09-26 | 2018-11-20 |
| CVE-2018-16385 json | ThinkPHP before 5.1.23 allows SQL Injection via the public/index/index/test/index query string. | 9.8 - CRITICAL | 2018-09-03 | 2018-10-31 |
| CVE-2018-10225 json | thinkphp 3.1.3 has SQL Injection via the index.php s parameter. | 9.8 - CRITICAL | 2018-04-19 | 2018-05-17 |
Known software with vulnerabilities from Thinkphp
| Type | Vendor | Product | Version |
|---|---|---|---|
| Application | Thinkphp | Thinkphp | 3.1.3 |