Description
ThinkPHP 5.0.23 contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary PHP code by invoking functions through the routing parameter. Attackers can craft requests to the index.php endpoint with malicious function parameters to execute system commands with application privileges.
Published: 2026-04-22
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

ThinkPHP 5.0.23 contains a remote code execution flaw that allows unauthenticated attackers to craft requests to the index.php endpoint with malicious function parameters, enabling the execution of arbitrary PHP code with the privileges of the application. This vulnerability is a classic authorization bypass (CWE-639) and could be leveraged to run system commands, exfiltrate data, or take complete control of the affected server.

Affected Systems

ThinkPHP is a PHP framework that is used widely across web applications. The impact is limited to ThinkPHP installations running the following versions: 5.0.23, 5.1.31, 6.0.15, 6.0.16, 6.1.3 through 6.1.5, and 8.0.0 (including the beta, 8.0.1, 8.0.2, 8.0.3, and 8.0.4 releases.

Risk and Exploitability

The CVSS score of 9.3 places this flaw in the high‑severity category. EPSS is not available, but the absence of authentication and the straightforward HTTP request required for exploitation suggest a high likelihood of real‑world attacks. The vulnerability is not listed in CISA's KEV catalog, yet its potential to allow an attacker to execute code on the server remains significant. Countermeasures would need to prevent unauthenticated use of the invokefunction route or enable robust input validation.

Generated by OpenCVE AI on April 22, 2026 at 18:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the ThinkPHP security patch or upgrade to a version where the invoke function vulnerability has been removed.
  • If an upgrade is not yet possible, disable the invokefunction feature in the framework configuration or block access to index.php for unauthenticated users via web server rules.
  • Deploy a WAF or similar filtering layer to detect and reject requests containing malicious invokefunction parameters.
  • Monitor web server logs for suspicious usage patterns and enable alerts for repeated invocation attempts.

Generated by OpenCVE AI on April 22, 2026 at 18:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
Description ThinkPHP 5.0.23 contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary PHP code by invoking functions through the routing parameter. Attackers can craft requests to the index.php endpoint with malicious function parameters to execute system commands with application privileges.
Title ThinkPHP 5.0.23 Remote Code Execution via invokefunction
First Time appeared Thinkphp
Thinkphp thinkphp
Weaknesses CWE-639
CPEs cpe:2.3:a:thinkphp:thinkphp:5.0.23:*:*:*:*:*:*:*
cpe:2.3:a:thinkphp:thinkphp:5.1.31:*:*:*:*:*:*:*
cpe:2.3:a:thinkphp:thinkphp:6.0.15:*:*:*:*:*:*:*
cpe:2.3:a:thinkphp:thinkphp:6.0.16:*:*:*:*:*:*:*
cpe:2.3:a:thinkphp:thinkphp:6.1.3:*:*:*:*:*:*:*
cpe:2.3:a:thinkphp:thinkphp:6.1.4:*:*:*:*:*:*:*
cpe:2.3:a:thinkphp:thinkphp:6.1.5:*:*:*:*:*:*:*
cpe:2.3:a:thinkphp:thinkphp:8.0.0:*:*:*:*:*:*:*
cpe:2.3:a:thinkphp:thinkphp:8.0.0:beta:*:*:*:*:*:*
cpe:2.3:a:thinkphp:thinkphp:8.0.1:*:*:*:*:*:*:*
cpe:2.3:a:thinkphp:thinkphp:8.0.2:*:*:*:*:*:*:*
cpe:2.3:a:thinkphp:thinkphp:8.0.3:*:*:*:*:*:*:*
cpe:2.3:a:thinkphp:thinkphp:8.0.4:*:*:*:*:*:*:*
Vendors & Products Thinkphp
Thinkphp thinkphp
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Thinkphp Thinkphp
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-22T15:59:29.873Z

Reserved: 2026-04-22T14:32:40.667Z

Link: CVE-2018-25270

cve-icon Vulnrichment

Updated: 2026-04-22T15:58:48.965Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-22T16:16:47.770

Modified: 2026-04-22T21:23:52.620

Link: CVE-2018-25270

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T21:30:27Z

Weaknesses