High severityNVD Advisory· Published Nov 23, 2022· Updated Apr 23, 2025

yiisoft/yii before v1.1.27 vulnerable to Remote Code Execution if the application calls `unserialize()` on arbitrary user input

CVE-2022-41922

Description

yiisoft/yii before version 1.1.27 are vulnerable to Remote Code Execution (RCE) if the application calls unserialize() on arbitrary user input. This has been patched in 1.1.27.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
yiisoft/yiiPackagist	< 1.1.27	1.1.27

Affected products

ghsa-coords
pkg:composer/yiisoft/yii
Range: < 1.1.27
yiisoft/yiiv5
Range: < 1.1.27

Patches

Vulnerability mechanics

References

github.com/advisories/GHSA-442f-wcwq-fpcfghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2022-41922ghsaADVISORY
github.com/yiisoft/yii/commit/ed67b7cc57216557c5c595c6650cdd2d3aa41c52ghsaWEB
github.com/yiisoft/yii/security/advisories/GHSA-442f-wcwq-fpcfghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.001
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000