CVE-2018-25270 CRITICAL

CVE-2018-25270: ThinkPHP 5.0.23 Remote Code Execution via invokefunction

Vendor Thinkphp

Product ThinkPHP

Weakness CWE-639 · IDOR

Published April 22, 2026

Last update April 22, 2026

View on NVD All CVEs

CVSS base score

9.3/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

Description

ThinkPHP 5.0.23 contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary PHP code by invoking functions through the routing parameter. Attackers can craft requests to the index.php endpoint with malicious function parameters to execute system commands with application privileges.

Key dates

Disclosure timeline

April 22, 2026 CVE published

April 22, 2026 Record updated

Identifiers

CVE CVE-2018-25270

CWE CWE-639

CVSS 9.3 / CRITICAL

Affected versions

Vendor Thinkphp

Product ThinkPHP

Affected 5.0.23

Vendor Thinkphp

Product ThinkPHP

Affected 5.1.31