ThinkPHP deserialization vulnerability
A deserialization vulnerability in the component \controller\Index.php of Thinkphp v6.1.3 to v8.0.4 allows attackers to execute arbitrary code.
Advisories for Composer/Topthink/Thinkphp package
2024
2021
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
ThinkPHP v3.2.3 and below contains a SQL injection vulnerability which is triggered when the array is not passed to the "where" and "query" methods.