1Nhann

**Name of the Vulnerable Software and Affected Versions** ThinkPHP Framework versions prior to 6.0.14 **Description** The issue allows local file inclusion via the `lang` parameter when the language pack feature is enabled (`lang switch on=true`). An unauthenticated and remote attacker can exploit this to execute arbitrary operating system commands, as demonstrated by including `pearcmd.php`. Over 572 IPs have launched attacks, with exploitation attempts spiking recently. **Recommendations** For ThinkPHP Framework versions prior to 6.0.14, consider disabling the language pack feature by setting `lang switch on=false` until a patch is available. Restrict access to the `lang` parameter to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Jodd HTTP version 6.0.9 **Description** The issue allows attackers to execute Server-Side Request Forgery (SSRF) via a crafted TCP payload, leveraging multiple CLRF injection vulnerabilities. These vulnerabilities are present in the components `jodd.http.HttpRequest#set` and `jodd.http.HttpRequest#send`. **Recommendations** For Jodd HTTP version 6.0.9, consider disabling the `jodd.http.HttpRequest#set` and `jodd.http.HttpRequest#send` functions until a patch is available to prevent exploitation.