{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2018-25270", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2026-04-22T14:32:40.667Z", "datePublished": "2026-04-22T14:57:03.961Z", "dateUpdated": "2026-04-22T15:59:29.873Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-04-22T14:57:03.961Z"}, "datePublic": "2018-12-11T00:00:00.000Z", "title": "ThinkPHP 5.0.23 Remote Code Execution via invokefunction", "descriptions": [{"lang": "en", "value": "ThinkPHP 5.0.23 contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary PHP code by invoking functions through the routing parameter. Attackers can craft requests to the index.php endpoint with malicious function parameters to execute system commands with application privileges."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Authorization Bypass Through User-Controlled Key", "cweId": "CWE-639", "type": "CWE"}]}], "affected": [{"vendor": "Thinkphp", "product": "ThinkPHP", "versions": [{"version": "5.0.23", "status": "affected"}, {"version": "5.1.31", "status": "affected"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:thinkphp:thinkphp:5.1.31:*:*:*:*:*:*:*"}, {"vulnerable": true, "criteria": "cpe:2.3:a:thinkphp:thinkphp:5.0.23:*:*:*:*:*:*:*"}, {"vulnerable": true, "criteria": "cpe:2.3:a:thinkphp:thinkphp:6.1.3:*:*:*:*:*:*:*"}, {"vulnerable": true, "criteria": "cpe:2.3:a:thinkphp:thinkphp:8.0.4:*:*:*:*:*:*:*"}, {"vulnerable": true, "criteria": "cpe:2.3:a:thinkphp:thinkphp:8.0.3:*:*:*:*:*:*:*"}, {"vulnerable": true, "criteria": "cpe:2.3:a:thinkphp:thinkphp:8.0.2:*:*:*:*:*:*:*"}, {"vulnerable": true, "criteria": "cpe:2.3:a:thinkphp:thinkphp:8.0.1:*:*:*:*:*:*:*"}, {"vulnerable": true, "criteria": "cpe:2.3:a:thinkphp:thinkphp:8.0.0:*:*:*:*:*:*:*"}, {"vulnerable": true, "criteria": "cpe:2.3:a:thinkphp:thinkphp:8.0.0:beta:*:*:*:*:*:*"}, {"vulnerable": true, "criteria": "cpe:2.3:a:thinkphp:thinkphp:6.1.5:*:*:*:*:*:*:*"}, {"vulnerable": true, "criteria": "cpe:2.3:a:thinkphp:thinkphp:6.1.4:*:*:*:*:*:*:*"}, {"vulnerable": true, "criteria": "cpe:2.3:a:thinkphp:thinkphp:6.0.16:*:*:*:*:*:*:*"}, {"vulnerable": true, "criteria": "cpe:2.3:a:thinkphp:thinkphp:6.0.15:*:*:*:*:*:*:*"}]}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 9.3, "baseSeverity": "CRITICAL", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS"}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS"}], "references": [{"url": "https://www.exploit-db.com/exploits/45978", "name": "ExploitDB-45978", "tags": ["exploit"]}, {"url": "https://thinkphp.cn", "name": "Official Product Homepage", "tags": ["product"]}, {"url": "https://github.com/top-think/framework/", "name": "Product Reference", "tags": ["product"]}, {"name": "VulnCheck Advisory: ThinkPHP 5.0.23 Remote Code Execution via invokefunction", "tags": ["third-party-advisory"], "url": "https://www.vulncheck.com/advisories/thinkphp-remote-code-execution-via-invokefunction"}], "credits": [{"lang": "en", "value": "VulnSpy", "type": "finder"}], "x_generator": {"engine": "vulncheck"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-22T15:57:46.876160Z", "id": "CVE-2018-25270", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T15:59:29.873Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2018-25270", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-22T15:57:46.876160Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T15:58:48.965Z"}}], "cna": {"title": "ThinkPHP 5.0.23 Remote Code Execution via invokefunction", "credits": [{"lang": "en", "type": "finder", "value": "VulnSpy"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 9.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "Thinkphp", "product": "ThinkPHP", "versions": [{"status": "affected", "version": "5.0.23"}, {"status": "affected", "version": "5.1.31"}]}], "datePublic": "2018-12-11T00:00:00.000Z", "references": [{"url": "https://www.exploit-db.com/exploits/45978", "name": "ExploitDB-45978", "tags": ["exploit"]}, {"url": "https://thinkphp.cn", "name": "Official Product Homepage", "tags": ["product"]}, {"url": "https://github.com/top-think/framework/", "name": "Product Reference", "tags": ["product"]}, {"url": "https://www.vulncheck.com/advisories/thinkphp-remote-code-execution-via-invokefunction", "name": "VulnCheck Advisory: ThinkPHP 5.0.23 Remote Code Execution via invokefunction", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "vulncheck"}, "descriptions": [{"lang": "en", "value": "ThinkPHP 5.0.23 contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary PHP code by invoking functions through the routing parameter. Attackers can craft requests to the index.php endpoint with malicious function parameters to execute system commands with application privileges."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-639", "description": "Authorization Bypass Through User-Controlled Key"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:thinkphp:thinkphp:5.1.31:*:*:*:*:*:*:*", "vulnerable": true}, {"criteria": "cpe:2.3:a:thinkphp:thinkphp:5.0.23:*:*:*:*:*:*:*", "vulnerable": true}, {"criteria": "cpe:2.3:a:thinkphp:thinkphp:6.1.3:*:*:*:*:*:*:*", "vulnerable": true}, {"criteria": "cpe:2.3:a:thinkphp:thinkphp:8.0.4:*:*:*:*:*:*:*", "vulnerable": true}, {"criteria": "cpe:2.3:a:thinkphp:thinkphp:8.0.3:*:*:*:*:*:*:*", "vulnerable": true}, {"criteria": "cpe:2.3:a:thinkphp:thinkphp:8.0.2:*:*:*:*:*:*:*", "vulnerable": true}, {"criteria": "cpe:2.3:a:thinkphp:thinkphp:8.0.1:*:*:*:*:*:*:*", "vulnerable": true}, {"criteria": "cpe:2.3:a:thinkphp:thinkphp:8.0.0:*:*:*:*:*:*:*", "vulnerable": true}, {"criteria": "cpe:2.3:a:thinkphp:thinkphp:8.0.0:beta:*:*:*:*:*:*", "vulnerable": true}, {"criteria": "cpe:2.3:a:thinkphp:thinkphp:6.1.5:*:*:*:*:*:*:*", "vulnerable": true}, {"criteria": "cpe:2.3:a:thinkphp:thinkphp:6.1.4:*:*:*:*:*:*:*", "vulnerable": true}, {"criteria": "cpe:2.3:a:thinkphp:thinkphp:6.0.16:*:*:*:*:*:*:*", "vulnerable": true}, {"criteria": "cpe:2.3:a:thinkphp:thinkphp:6.0.15:*:*:*:*:*:*:*", "vulnerable": true}], "operator": "OR"}]}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-04-22T14:57:03.961Z"}}}, "cveMetadata": {"cveId": "CVE-2018-25270", "state": "PUBLISHED", "dateUpdated": "2026-04-22T15:59:29.873Z", "dateReserved": "2026-04-22T14:32:40.667Z", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "datePublished": "2026-04-22T14:57:03.961Z", "assignerShortName": "VulnCheck"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "ThinkPHP 5.0.23 contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary PHP code by invoking functions through the routing parameter. Attackers can craft requests to the index.php endpoint with malicious function parameters to execute system commands with application privileges."}], "id": "CVE-2018-25270", "lastModified": "2026-04-22T16:16:47.770", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "disclosure@vulncheck.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "disclosure@vulncheck.com", "type": "Secondary"}]}, "published": "2026-04-22T16:16:47.770", "references": [{"source": "disclosure@vulncheck.com", "url": "https://github.com/top-think/framework/"}, {"source": "disclosure@vulncheck.com", "url": "https://thinkphp.cn"}, {"source": "disclosure@vulncheck.com", "url": "https://www.exploit-db.com/exploits/45978"}, {"source": "disclosure@vulncheck.com", "url": "https://www.vulncheck.com/advisories/thinkphp-remote-code-execution-via-invokefunction"}], "sourceIdentifier": "disclosure@vulncheck.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "disclosure@vulncheck.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T18:27:23.427682+00:00", "value": {"mitigation_remediation": ["Apply the ThinkPHP security patch or upgrade to a version where the invoke function vulnerability has been removed.", "If an upgrade is not yet possible, disable the invokefunction feature in the framework configuration or block access to index.php for unauthenticated users via web server rules.", "Deploy a WAF or similar filtering layer to detect and reject requests containing malicious invokefunction parameters.", "Monitor web server logs for suspicious usage patterns and enable alerts for repeated invocation attempts."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "ThinkPHP is a PHP framework that is used widely across web applications. The impact is limited to ThinkPHP installations running the following versions: 5.0.23, 5.1.31, 6.0.15, 6.0.16, 6.1.3 through 6.1.5, and 8.0.0 (including the beta, 8.0.1, 8.0.2, 8.0.3, and 8.0.4 releases.", "description_and_impact": "ThinkPHP 5.0.23 contains a remote code execution flaw that allows unauthenticated attackers to craft requests to the index.php endpoint with malicious function parameters, enabling the execution of arbitrary PHP code with the privileges of the application. This vulnerability is a classic authorization bypass (CWE-639) and could be leveraged to run system commands, exfiltrate data, or take complete control of the affected server.", "risk_and_exploitability": "The CVSS score of 9.3 places this flaw in the high\u2011severity category. EPSS is not available, but the absence of authentication and the straightforward HTTP request required for exploitation suggest a high likelihood of real\u2011world attacks. The vulnerability is not listed in CISA's KEV catalog, yet its potential to allow an attacker to execute code on the server remains significant. Countermeasures would need to prevent unauthenticated use of the invokefunction route or enable robust input validation."}}}}, "created": "2026-04-22T18:30:23.755304+00:00", "updated": "2026-04-22T18:30:23.755314+00:00", "vendors": []}