CRITICAL🇵🇱 Wersja polska

CVE-2024-44902

CVSS 9.8v3.1pub. 2024-09-09upd. 2026-07-05

A deserialization vulnerability in Thinkphp v6.1.3 to v8.0.4 allows attackers to execute arbitrary code.

🤖 AI Analysis
How it works

The vulnerability results from unsafe processing (deserialization) of untrusted input data by the ThinkPHP framework (CWE-502). An attacker can provide a specially crafted payload that, during deserialization, is executed as code on the server side. The attack vector is network-based, requires no authentication or user interaction, making it particularly dangerous.

Impact

Successful exploitation of the vulnerability allows an attacker to execute arbitrary code remotely (RCE) on the server, which may lead to complete system takeover, data breach, and violation of service integrity and availability.

Mitigation & patch

Patches available from the vendor should be applied according to the references. It is recommended to update the ThinkPHP framework as soon as possible to a version higher than v8.0.4 and monitor the official vendor channel at http://thinkphp.com for detailed update instructions.

Who is affected

ThinkPHP in versions from v6.1.3 to v8.0.4

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Thinkphp

    APP
    Thinkphp
    6.1.3 – 8.0.4
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCEDeserialization
CWE
References

Related vulnerabilities

CVE-2018-25270CRITICAL9.3PL ✓ten sam produkt

ThinkPHP 5.0.23 — zdalne wykonanie kodu przez parametr routingu (RCE)

CVE-2025-63888CRITICAL9.8PL ✓ten sam produkt

RCE w funkcji read sterownika szablonów ThinkPHP 5.0.24

CVE-2025-50707CRITICAL9.8PL ✓ten sam produkt

RCE w ThinkPHP 3 — wykonanie kodu przez komponent index.php

CVE-2025-50706CRITICAL9.8PL ✓ten sam produkt

RCE w ThinkPHP 5.1 przez funkcję routecheck

CVE-2024-48112CRITICAL9.8PL ✓ten sam produkt

ThinkPHP: RCE poprzez deserializację w Index.php (CVE-2024-48112)