DNA View

Critical Severity Vulnerability

This vulnerability has been rated as Critical severity. Immediate action is recommended.

CVE-2018-25270

Critical

Low Medium High Critical

9.8

CVSS Score

Published: Apr 22, 2026

Last Modified: Apr 22, 2026

CWE: CWE-639

Vulnerability Description

ThinkPHP 5.0.23 contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary PHP code by invoking functions through the routing parameter. Attackers can craft requests to the index.php endpoint with malicious function parameters to execute system commands with application privileges.

CVSS Metrics

Common Vulnerability Scoring System

Vector String:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

References & Resources

Severity Details

9.8

out of 10.0

Critical

Weakness Type (CWE)

CWE-639

Authorization Bypass Through User-Controlled Key

Description: The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Exploit Likelihood: High
Typical Severity: High
Abstraction Level: Base