EIP-2026-112661

PRE-CVE

ThinkPHP 5.X - Remote Command Execution

Title source: legacy

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-112661. PoCs published by vr_system.

AI-analyzed exploit summary This exploit demonstrates multiple RCE vectors for ThinkPHP 5.x by leveraging method injection and arbitrary function calls via URL parameters. It includes payloads for various versions, exploiting deserialization and method invocation flaws.

Description

ThinkPHP 5.X - Remote Command Execution

Exploits (1)

exploitdb WORKING POC

by vr_system · textwebappsphp

https://www.exploit-db.com/exploits/46150

View Code ZIP pw:eip

This exploit demonstrates multiple RCE vectors for ThinkPHP 5.x by leveraging method injection and arbitrary function calls via URL parameters. It includes payloads for various versions, exploiting deserialization and method invocation flaws.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: ThinkPHP 5.x (various versions)

No auth needed

Prerequisites: Exposed ThinkPHP application · Network access to target

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 18, 2026 Full analysis →

Details

Status pre_cve

Tracked Since Feb 18, 2026