Skip to content

Commit 4bc0d15

Browse files
committed
add: AVE-2026-0053
1 parent 912f639 commit 4bc0d15

1 file changed

Lines changed: 28 additions & 0 deletions

File tree

vulns/2026/AVE-2026-0053.toml

Lines changed: 28 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,28 @@
1+
[basic]
2+
description = 'ThinkPHP 5.0.x至5.1.x版本的框架对HTTP请求参数的过滤机制存在缺陷,攻击者可通过构造带有 `s=index/\think\Request/input&filter=phpinfo` 参数的恶意HTTP请求,将任意PHP函数注入执行,从而实现远程代码执行。该漏洞影响大量使用ThinkPHP框架的Web应用,攻击门槛低、危害范围广。CVSS评分9.8,危险等级严重。'
3+
published = "2019-11-20"
4+
remediation = '升级ThinkPHP至5.1.8及以上版本,或直接迁移至ThinkPHP5.1.x/6.x版本以获取完整修复。该漏洞由`think\yaml`类在解析YAML输入时未做安全过滤导致反序列化RCE,官方已在5.0.24版本中移除该方法调用。'
5+
score = 9.8
6+
severity = "CRITICAL"
7+
sources = ["nuclei"]
8+
title = "ThinkPHP ThinkPHP框架过滤参数反序列化远程代码执行漏洞"
9+
updated = "2025-05-14"
10+
11+
[exploit]
12+
exp_urls = []
13+
poc_urls = []
14+
15+
[id]
16+
aliases = ["NUCLEI-HTTP-VULNERABILITIES-THINKPHP-THINKPHP-5023-RCE-YAML"]
17+
ave_id = "AVE-2026-0053"
18+
19+
[meta]
20+
collected_at = "2026-07-15T00:00:00Z"
21+
status = "completed"
22+
23+
[references]
24+
urls = [
25+
"https://github.com/nangge/noneCms/issues/21",
26+
"http://packetstormsecurity.com/files/157218/ThinkPHP-5.0.23-Remote-Code-Execution.html",
27+
"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-20062",
28+
]

0 commit comments

Comments
 (0)