thinkcmf CVE Vulnerabilities & Metrics

Focus on thinkcmf vulnerabilities and metrics.

Last updated: 08 Mar 2025, 23:25 UTC

About thinkcmf Security Exposure

This page consolidates all known Common Vulnerabilities and Exposures (CVEs) associated with thinkcmf. We track both calendar-based metrics (using fixed periods) and rolling metrics (using gliding windows) to give you a comprehensive view of security trends and risk evolution. Use these insights to assess risk and plan your patching strategy.

For a broader perspective on cybersecurity threats, explore the comprehensive list of CVEs by vendor and product. Stay updated on critical vulnerabilities affecting major software and hardware providers.

Global CVE Overview

Total thinkcmf CVEs: 14
Earliest CVE date: 30 Aug 2018, 05:29 UTC
Latest CVE date: 11 Aug 2023, 14:15 UTC

Latest CVE reference: CVE-2020-25915

Rolling Stats

30-day Count (Rolling): 0
365-day Count (Rolling): 0

Calendar-based Variation

Calendar-based Variation compares a fixed calendar period (e.g., this month versus the same month last year), while Rolling Growth Rate uses a continuous window (e.g., last 30 days versus the previous 30 days) to capture trends independent of calendar boundaries.

Variations & Growth

Month Variation (Calendar): 0%
Year Variation (Calendar): -100.0%

Month Growth Rate (30-day Rolling): 0.0%
Year Growth Rate (365-day Rolling): -100.0%

Monthly CVE Trends (current vs previous Year)

Annual CVE Trends (Last 20 Years)

Critical thinkcmf CVEs (CVSS ≥ 9) Over 20 Years

CVSS Stats

Average CVSS: 4.84

Max CVSS: 7.5

Critical CVEs (≥9): 0

CVSS Range vs. Count

Range	Count
0.0-3.9	3
4.0-6.9	9
7.0-8.9	2
9.0-10.0	0

CVSS Distribution Chart

Top 5 Highest CVSS thinkcmf CVEs

These are the five CVEs with the highest CVSS scores for thinkcmf, sorted by severity first and recency.

CVE-2020-20601 thinkcmf Published on 22 Dec 2021, 23:15 UTC (CVSS: 7.5)
An issue in ThinkCMF X2.2.2 and below allows attackers to execute arbitrary code via a crafted packet.
CVE-2019-6713 thinkcmf Published on 23 Jan 2019, 21:29 UTC (CVSS: 7.5)
app\admin\controller\RouteController.php in ThinkCMF 5.0.190111 allows remote attackers to execute arbitrary PHP code by using vectors involving portal/List/index and list/:id to inject this code into data\conf\route.php, as demonstrated by a file_put_contents call.
CVE-2019-7580 thinkcmf Published on 07 Feb 2019, 17:29 UTC (CVSS: 6.5)
ThinkCMF 5.0.190111 allows remote attackers to execute arbitrary PHP code via the portal/admin_category/addpost.html alias parameter because the mishandling of a single quote character allows data/conf/route.php injection.
CVE-2018-19898 thinkcmf Published on 06 Dec 2018, 04:29 UTC (CVSS: 6.5)
ThinkCMF X2.2.2 has SQL Injection via the method edit_post in ArticleController.class.php and is exploitable by normal authenticated users via the post[id][1] parameter in an article edit_post action.
CVE-2018-19897 thinkcmf Published on 06 Dec 2018, 04:29 UTC (CVSS: 6.5)
ThinkCMF X2.2.2 has SQL Injection via the function _listorders() in AdminbaseController.class.php and is exploitable with the manager privilege via the listorders[key][1] parameter in a Link listorders action.

All CVEs for thinkcmf

CVE-2020-25915 thinkcmf vulnerability CVSS: 0 11 Aug 2023, 14:15 UTC

Cross Site Scripting (XSS) vulnerability in UserController.php in ThinkCMF version 5.1.5, allows attackers to execute arbitrary code via crafted user_login.

CVE-2022-40849 thinkcmf vulnerability CVSS: 0 01 Dec 2022, 05:15 UTC

ThinkCMF version 6.0.7 is affected by Stored Cross-Site Scripting (XSS). An attacker who successfully exploited this vulnerability could inject a Persistent XSS payload in the Slideshow Management section that execute arbitrary JavaScript code on the client side, e.g., to steal the administrator's PHP session token (PHPSESSID).

CVE-2022-40489 thinkcmf vulnerability CVSS: 0 01 Dec 2022, 05:15 UTC

ThinkCMF version 6.0.7 is affected by a Cross Site Request Forgery (CSRF) vulnerability that allows a Super Administrator user to be injected into administrative users.

CVE-2021-40616 thinkcmf vulnerability CVSS: 4.0 14 Jun 2022, 10:15 UTC

thinkcmf v5.1.7 has an unauthorized vulnerability. The attacker can modify the password of the administrator account with id 1 through the background user management group permissions. The use condition is that the background user management group authority is required.

CVE-2020-20601 thinkcmf vulnerability CVSS: 7.5 22 Dec 2021, 23:15 UTC

An issue in ThinkCMF X2.2.2 and below allows attackers to execute arbitrary code via a crafted packet.

CVE-2020-18151 thinkcmf vulnerability CVSS: 4.3 14 Jul 2021, 19:15 UTC

Cross Site Request Forgery (CSRF) vulnerability in ThinkCMF v5.1.0, which can add an admin account.

CVE-2019-7580 thinkcmf vulnerability CVSS: 6.5 07 Feb 2019, 17:29 UTC

ThinkCMF 5.0.190111 allows remote attackers to execute arbitrary PHP code via the portal/admin_category/addpost.html alias parameter because the mishandling of a single quote character allows data/conf/route.php injection.

CVE-2019-6713 thinkcmf vulnerability CVSS: 7.5 23 Jan 2019, 21:29 UTC

app\admin\controller\RouteController.php in ThinkCMF 5.0.190111 allows remote attackers to execute arbitrary PHP code by using vectors involving portal/List/index and list/:id to inject this code into data\conf\route.php, as demonstrated by a file_put_contents call.

CVE-2018-19898 thinkcmf vulnerability CVSS: 6.5 06 Dec 2018, 04:29 UTC

ThinkCMF X2.2.2 has SQL Injection via the method edit_post in ArticleController.class.php and is exploitable by normal authenticated users via the post[id][1] parameter in an article edit_post action.

CVE-2018-19897 thinkcmf vulnerability CVSS: 6.5 06 Dec 2018, 04:29 UTC

ThinkCMF X2.2.2 has SQL Injection via the function _listorders() in AdminbaseController.class.php and is exploitable with the manager privilege via the listorders[key][1] parameter in a Link listorders action.

CVE-2018-19896 thinkcmf vulnerability CVSS: 6.5 06 Dec 2018, 04:29 UTC

ThinkCMF X2.2.2 has SQL Injection via the function delete() in SlideController.class.php and is exploitable with the manager privilege via the ids[] parameter in a slide action.

CVE-2018-19895 thinkcmf vulnerability CVSS: 6.5 06 Dec 2018, 04:29 UTC

ThinkCMF X2.2.2 has SQL Injection via the function edit_post() in NavController.class.php and is exploitable with the manager privilege via the parentid parameter in a nav action.

CVE-2018-19894 thinkcmf vulnerability CVSS: 6.5 06 Dec 2018, 04:29 UTC

ThinkCMF X2.2.2 has SQL Injection via the functions check() and delete() in CommentadminController.class.php and is exploitable with the manager privilege via the ids[] parameter in a commentadmin action.

CVE-2018-16141 thinkcmf vulnerability CVSS: 5.5 30 Aug 2018, 05:29 UTC

ThinkCMF X2.2.3 has an arbitrary file deletion vulnerability in do_avatar in \application\User\Controller\ProfileController.class.php via an imgurl parameter with a ..\ sequence. A member user can delete any file on a Windows server.