thinkphp CVE Vulnerabilities & Metrics

Focus on thinkphp vulnerabilities and metrics.

Last updated: 08 Mar 2025, 23:25 UTC

About thinkphp Security Exposure

This page consolidates all known Common Vulnerabilities and Exposures (CVEs) associated with thinkphp. We track both calendar-based metrics (using fixed periods) and rolling metrics (using gliding windows) to give you a comprehensive view of security trends and risk evolution. Use these insights to assess risk and plan your patching strategy.

For a broader perspective on cybersecurity threats, explore the comprehensive list of CVEs by vendor and product. Stay updated on critical vulnerabilities affecting major software and hardware providers.

Global CVE Overview

Total thinkphp CVEs: 20
Earliest CVE date: 19 Apr 2018, 08:29 UTC
Latest CVE date: 09 Sep 2024, 20:15 UTC

Latest CVE reference: CVE-2024-44902

Rolling Stats

30-day Count (Rolling): 0
365-day Count (Rolling): 1

Calendar-based Variation

Calendar-based Variation compares a fixed calendar period (e.g., this month versus the same month last year), while Rolling Growth Rate uses a continuous window (e.g., last 30 days versus the previous 30 days) to capture trends independent of calendar boundaries.

Variations & Growth

Month Variation (Calendar): 0%
Year Variation (Calendar): 0%

Month Growth Rate (30-day Rolling): 0.0%
Year Growth Rate (365-day Rolling): 0.0%

Monthly CVE Trends (current vs previous Year)

Annual CVE Trends (Last 20 Years)

Critical thinkphp CVEs (CVSS ≥ 9) Over 20 Years

CVSS Stats

Average CVSS: 5.67

Max CVSS: 10.0

Critical CVEs (≥9): 2

CVSS Range vs. Count

Range	Count
0.0-3.9	5
4.0-6.9	2
7.0-8.9	11
9.0-10.0	2

CVSS Distribution Chart

Top 5 Highest CVSS thinkphp CVEs

These are the five CVEs with the highest CVSS scores for thinkphp, sorted by severity first and recency.

CVE-2021-36567 thinkphp Published on 06 Dec 2021, 21:15 UTC (CVSS: 10.0)
ThinkPHP v6.0.8 was discovered to contain a deserialization vulnerability via the component League\Flysystem\Cached\Storage\AbstractCache.
CVE-2019-9082 thinkphp Published on 24 Feb 2019, 18:29 UTC (CVSS: 9.3)
ThinkPHP before 3.2.4, as used in Open Source BMS v1.1.1 and other products, allows Remote Command Execution via public//?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]= followed by the command.
CVE-2022-33107 thinkphp Published on 29 Jun 2022, 12:15 UTC (CVSS: 7.5)
ThinkPHP v6.0.12 was discovered to contain a deserialization vulnerability via the component vendor\league\flysystem-cached-adapter\src\Storage\AbstractCache.php. This vulnerability allows attackers to execute arbitrary code via a crafted payload.
CVE-2021-23592 thinkphp Published on 06 May 2022, 20:15 UTC (CVSS: 7.5)
The package topthink/framework before 6.0.12 are vulnerable to Deserialization of Untrusted Data due to insecure unserialize method in the Driver class.
CVE-2021-44350 thinkphp Published on 15 Dec 2021, 23:15 UTC (CVSS: 7.5)
SQL Injection vulnerability exists in ThinkPHP5 5.0.x <=5.1.22 via the parseOrder function in Builder.php.

All CVEs for thinkphp

CVE-2024-44902 thinkphp vulnerability CVSS: 0 09 Sep 2024, 20:15 UTC

A deserialization vulnerability in Thinkphp v6.1.3 to v8.0.4 allows attackers to execute arbitrary code.

CVE-2022-45982 thinkphp vulnerability CVSS: 0 08 Feb 2023, 21:15 UTC

thinkphp 6.0.0~6.0.13 and 6.1.0~6.1.1 contains a deserialization vulnerability. This vulnerability allows attackers to execute arbitrary code via a crafted payload.

CVE-2022-47945 thinkphp vulnerability CVSS: 0 23 Dec 2022, 21:15 UTC

ThinkPHP Framework before 6.0.14 allows local file inclusion via the lang parameter when the language pack feature is enabled (lang_switch_on=true). An unauthenticated and remote attacker can exploit this to execute arbitrary operating system commands, as demonstrated by including pearcmd.php.

CVE-2022-44289 thinkphp vulnerability CVSS: 0 06 Dec 2022, 16:15 UTC

Thinkphp 5.1.41 and 5.0.24 has a code logic error which causes file upload getshell.

CVE-2022-38352 thinkphp vulnerability CVSS: 0 15 Sep 2022, 02:15 UTC

ThinkPHP v6.0.13 was discovered to contain a deserialization vulnerability via the component League\Flysystem\Cached\Storage\Psr6Cache. This vulnerability allows attackers to execute arbitrary code via a crafted payload.

CVE-2022-33107 thinkphp vulnerability CVSS: 7.5 29 Jun 2022, 12:15 UTC

ThinkPHP v6.0.12 was discovered to contain a deserialization vulnerability via the component vendor\league\flysystem-cached-adapter\src\Storage\AbstractCache.php. This vulnerability allows attackers to execute arbitrary code via a crafted payload.

CVE-2021-23592 thinkphp vulnerability CVSS: 7.5 06 May 2022, 20:15 UTC

The package topthink/framework before 6.0.12 are vulnerable to Deserialization of Untrusted Data due to insecure unserialize method in the Driver class.

CVE-2022-25481 thinkphp vulnerability CVSS: 5.0 21 Mar 2022, 00:15 UTC

ThinkPHP Framework v5.0.24 was discovered to be configured without the PATHINFO parameter. This allows attackers to access all system environment parameters from index.php. NOTE: this is disputed by a third party because system environment exposure is an intended feature of the debugging mode.

CVE-2021-44892 thinkphp vulnerability CVSS: 6.5 10 Feb 2022, 17:15 UTC

A Remote Code Execution (RCE) vulnerability exists in ThinkPHP 3.x.x via value[_filename] in index.php, which could let a malicious user obtain server control privileges.

CVE-2021-44350 thinkphp vulnerability CVSS: 7.5 15 Dec 2021, 23:15 UTC

SQL Injection vulnerability exists in ThinkPHP5 5.0.x <=5.1.22 via the parseOrder function in Builder.php.

CVE-2021-36567 thinkphp vulnerability CVSS: 10.0 06 Dec 2021, 21:15 UTC

ThinkPHP v6.0.8 was discovered to contain a deserialization vulnerability via the component League\Flysystem\Cached\Storage\AbstractCache.

CVE-2021-36564 thinkphp vulnerability CVSS: 7.5 06 Dec 2021, 21:15 UTC

ThinkPHP v6.0.8 was discovered to contain a deserialization vulnerability via the component vendor\league\flysystem-cached-adapter\src\Storage\Adapter.php.

CVE-2020-20120 thinkphp vulnerability CVSS: 7.5 28 Sep 2021, 23:15 UTC

ThinkPHP v3.2.3 and below contains a SQL injection vulnerability which is triggered when the array is not passed to the "where" and "query" methods.

CVE-2019-9082 thinkphp vulnerability CVSS: 9.3 24 Feb 2019, 18:29 UTC

ThinkPHP before 3.2.4, as used in Open Source BMS v1.1.1 and other products, allows Remote Command Execution via public//?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]= followed by the command.

CVE-2018-18546 thinkphp vulnerability CVSS: 7.5 21 Oct 2018, 01:29 UTC

ThinkPHP 3.2.4 has SQL Injection via the order parameter because the Library/Think/Db/Driver.class.php parseOrder function mishandles the key variable.

CVE-2018-18530 thinkphp vulnerability CVSS: 7.5 19 Oct 2018, 20:29 UTC

ThinkPHP 5.1.25 has SQL Injection via the count parameter because the library/think/db/Query.php aggregate function mishandles the aggregate variable. NOTE: a backquote character is required in the attack URI.

CVE-2018-18529 thinkphp vulnerability CVSS: 7.5 19 Oct 2018, 20:29 UTC

ThinkPHP 3.2.4 has SQL Injection via the count parameter because the Library/Think/Db/Driver/Mysql.class.php parseKey function mishandles the key variable. NOTE: a backquote character is not required in the attack URI.

CVE-2018-17566 thinkphp vulnerability CVSS: 7.5 26 Sep 2018, 21:29 UTC

In ThinkPHP 5.1.24, the inner function delete can be used for SQL injection when its WHERE condition's value can be controlled by a user's request.

CVE-2018-16385 thinkphp vulnerability CVSS: 7.5 03 Sep 2018, 02:29 UTC

ThinkPHP before 5.1.23 allows SQL Injection via the public/index/index/test/index query string.

CVE-2018-10225 thinkphp vulnerability CVSS: 7.5 19 Apr 2018, 08:29 UTC

thinkphp 3.1.3 has SQL Injection via the index.php s parameter.