topthink/framework
Packagist18 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting topthink/frameworkpage 1 of 1
- CVE-2018-10225CRITICALCVSS 9.8EG 9.82018-04-19
vulnerable: 3.1.3
thinkphp 3.1.3 has SQL Injection via the index.php s parameter.
- CVE-2018-16385CRITICALCVSS 9.8EG 9.8✓ Fixed in 5.1.232018-09-03
vulnerable: 5.0 ... v5.1.9 (57 versions)
ThinkPHP before 5.1.23 allows SQL Injection via the public/index/index/test/index query string.
- CVE-2018-17566CRITICALCVSS 9.8EG 9.82018-09-26
vulnerable: 5.1.24
In ThinkPHP 5.1.24, the inner function delete can be used for SQL injection when its WHERE condition's value can be controlled by a user's request.
- CVE-2018-18529CRITICALCVSS 9.8EG 9.82018-10-19
ThinkPHP 3.2.4 has SQL Injection via the count parameter because the Library/Think/Db/Driver/Mysql.class.php parseKey function mishandles the key variable. NOTE: a backquote character is not required in the attack URI.
- CVE-2018-18530CRITICALCVSS 9.8EG 9.82018-10-19
vulnerable: 5.0 ... v5.1.9 (60 versions)
ThinkPHP 5.1.25 has SQL Injection via the count parameter because the library/think/db/Query.php aggregate function mishandles the aggregate variable. NOTE: a backquote character is required in the attack URI.
- CVE-2018-18546CRITICALCVSS 9.8EG 9.82018-10-21
ThinkPHP 3.2.4 has SQL Injection via the order parameter because the Library/Think/Db/Driver.class.php parseOrder function mishandles the key variable.
- CVE-2021-23592HIGHCVSS 7.7EG 7.7✓ Fixed in 6.0.122022-05-06
vulnerable: 5.0 ... v6.0.9 (98 versions)
The package topthink/framework before 6.0.12 are vulnerable to Deserialization of Untrusted Data due to insecure unserialize method in the Driver class.
- CVE-2021-36564CRITICALCVSS 9.8EG 9.8✓ Fixed in 6.0.92021-12-06
vulnerable: 5.0 ... v6.0.8 (95 versions)
ThinkPHP v6.0.8 was discovered to contain a deserialization vulnerability via the component vendor\league\flysystem-cached-adapter\src\Storage\Adapter.php.
- CVE-2021-36567CRITICALCVSS 9.8EG 9.82021-12-06
vulnerable: 5.0 ... v6.0.8 (95 versions)
ThinkPHP v6.0.8 was discovered to contain a deserialization vulnerability via the component League\Flysystem\Cached\Storage\AbstractCache.
- CVE-2021-44350CRITICALCVSS 9.8EG 9.82021-12-15
vulnerable: 5.0 ... v5.1.9 (53 versions)
SQL Injection vulnerability exists in ThinkPHP5 5.0.x <=5.1.22 via the parseOrder function in Builder.php.
- CVE-2021-44892HIGHCVSS 8.8EG 8.82022-02-10
A Remote Code Execution (RCE) vulnerability exists in ThinkPHP 3.x.x via value[_filename] in index.php, which could let a malicious user obtain server control privileges.
- CVE-2022-25481HIGHCVSS 7.5EG 7.52022-03-21
vulnerable: 5.0 ... v5.0.9 (29 versions)
ThinkPHP Framework v5.0.24 was discovered to be configured without the PATHINFO parameter. This allows attackers to access all system environment parameters from index.php. NOTE: this is disputed by a third party because system environment…
- CVE-2022-33107CRITICALCVSS 9.8EG 9.82022-06-29
vulnerable: 5.0 ... v6.0.9 (99 versions)
ThinkPHP v6.0.12 was discovered to contain a deserialization vulnerability via the component vendor\league\flysystem-cached-adapter\src\Storage\AbstractCache.php. This vulnerability allows attackers to execute arbitrary code via a crafted …
- CVE-2022-38352CRITICALCVSS 9.8EG 9.82022-09-15
vulnerable: 5.0 ... v6.0.9 (100 versions)
ThinkPHP v6.0.13 was discovered to contain a deserialization vulnerability via the component League\Flysystem\Cached\Storage\Psr6Cache. This vulnerability allows attackers to execute arbitrary code via a crafted payload.
- CVE-2022-44289HIGHCVSS 8.8EG 8.82022-12-06
vulnerable: v5.1.0 ... v5.1.9 (44 versions)
Thinkphp 5.1.41 and 5.0.24 has a code logic error which causes file upload getshell.
- CVE-2022-47945CRITICALCVSS 9.8EG 9.8✓ Fixed in 6.0.142022-12-23
vulnerable: 5.0 ... v6.0.9 (100 versions)
ThinkPHP Framework before 6.0.14 allows local file inclusion via the lang parameter when the language pack feature is enabled (lang_switch_on=true). An unauthenticated and remote attacker can exploit this to execute arbitrary operating sys…
- CVE-2024-34467MEDIUMCVSS 6.1EG 6.1✓ Fixed in 6.0.172024-05-04
vulnerable: 5.0 ... v6.0.9 (103 versions)
ThinkPHP 8.0.3 allows remote attackers to exploit XSS due to inadequate filtering of function argument values in think_exception.tpl.
- CVE-2024-44902CRITICALCVSS 9.8EG 9.82024-09-09
vulnerable: v6.1.3 ... v8.0.4 (9 versions)
A deserialization vulnerability in Thinkphp v6.1.3 to v8.0.4 allows attackers to execute arbitrary code.
Check whether topthink/framework is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for topthink/framework CVEs against the assets you own.
Start Free Scan →