We’re taking on a small number of new builds and rebuilds this quarter. Book a call to see if your project is a fit.

CVE CVE-2018-25270

CVE-2018-25270

PHP

Severity: CRITICAL
CVSS: 9.8CVSS
Published: 2026-04-22
Last modified: 2026-04-22
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-639

Description

ThinkPHP 5.0.23 contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary PHP code by invoking functions through the routing parameter. Attackers can craft requests to the index.php endpoint with malicious function parameters to execute system commands with application privileges.

References

https://github.com/top-think/framework/
https://thinkphp.cn
https://www.exploit-db.com/exploits/45978
https://www.vulncheck.com/advisories/thinkphp-remote-code-execution-via-invokefunction

Summary

Description

References