CVE-2018-25270

CRITICAL 9.8

ThinkPHP 5.0.23 Remote Code Execution via invokefunction

CVSS Score

9.8

EPSS Score

0.0%

EPSS Percentile

0th

ThinkPHP 5.0.23 contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary PHP code by invoking functions through the routing parameter. Attackers can craft requests to the index.php endpoint with malicious function parameters to execute system commands with application privileges.

CWE	CWE-639
Vendor	thinkphp
Product	thinkphp
Published	Apr 22, 2026
Last Updated	Apr 22, 2026

Stay Ahead of the Next One

Get instant alerts for thinkphp thinkphp

Be the first to know when new critical vulnerabilities affecting thinkphp thinkphp are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Affected Versions

Thinkphp / ThinkPHP

5.0.23 5.1.31

References

NVD ↗ CVE.org ↗ EPSS Data ↗

exploit-db.com: https://www.exploit-db.com/exploits/45978 thinkphp.cn: https://thinkphp.cn github.com: https://github.com/top-think/framework/ vulncheck.com: https://www.vulncheck.com/advisories/thinkphp-remote-code-execution-via-invokefunction

Credits

VulnSpy