Vulnerability detail

Enriched intelligence for a single CVE

9.8

CVSS
Critical

CVE-2022-47945

PUBLISHED

ThinkPHP Framework before 6.0.14 allows local file inclusion via the lang parameter when the language pack feature is enabled...

Exploited in the wild Remote Low complexity No user interaction

Vendor: n/a
Product: n/a
Published: Dec 23, 2022
EPSS: —

Description

ThinkPHP Framework before 6.0.14 allows local file inclusion via the lang parameter when the language pack feature is enabled (lang_switch_on=true). An unauthenticated and remote attacker can exploit this to execute arbitrary operating system commands, as demonstrated by including pearcmd.php.

nuclei_scanner

CVSS scores

CVSS v3.1 9.8 Critical

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitation status

Exploited in the wild

Recorded 2025-06-21 00:00:00 UTC · Source

SSVC decision points

Exploitation: poc
Automatable: Yes
Technical impact: total

References

Known exploited vulnerability sources

Catalogues that list this CVE as a known exploited vulnerability.

Source	Added
The Shadowserver (via CIRCL)	Jun 21, 2025

Scanner integrations

Scanner	Reference	Detected
Nuclei	https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2022/CVE-2022-47945.yaml	Apr 25, 2025

Timeline

CVE ID Reserved

December 23, 2022
CVE Published to Public

December 23, 2022
Detected by Nuclei

April 25, 2025
Added to KEVIntel

June 21, 2025