Packagist (Composer) package
yiisoft/yii
pkg:composer/yiisoft/yii
Vulnerabilities (4)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-32027 | — | < 1.1.31 | 1.1.31 | Apr 10, 2025 | Yii is an open source PHP web framework. Prior to 1.1.31, yiisoft/yii is vulnerable to Reflected XSS in specific scenarios where the fallback error renderer is used. Upgrade yiisoft/yii to version 1.1.31 or higher. | ||
| CVE-2023-47130 | — | < 1.1.29 | 1.1.29 | Nov 14, 2023 | Yii is an open source PHP web framework. yiisoft/yii before version 1.1.29 are vulnerable to Remote Code Execution (RCE) if the application calls `unserialize()` on arbitrary user input. An attacker may leverage this vulnerability to compromise the host system. A fix has been dev | ||
| CVE-2022-41922 | — | < 1.1.27 | 1.1.27 | Nov 23, 2022 | `yiisoft/yii` before version 1.1.27 are vulnerable to Remote Code Execution (RCE) if the application calls `unserialize()` on arbitrary user input. This has been patched in 1.1.27. | ||
| CVE-2014-4672 | — | >= 1.1.14, < 1.1.15 | 1.1.15 | Jul 3, 2014 | The CDetailView widget in Yii PHP Framework 1.1.14 allows remote attackers to execute arbitrary PHP scripts via vectors related to the value property. |
- CVE-2025-32027Apr 10, 2025affected < 1.1.31fixed 1.1.31
Yii is an open source PHP web framework. Prior to 1.1.31, yiisoft/yii is vulnerable to Reflected XSS in specific scenarios where the fallback error renderer is used. Upgrade yiisoft/yii to version 1.1.31 or higher.
- CVE-2023-47130Nov 14, 2023affected < 1.1.29fixed 1.1.29
Yii is an open source PHP web framework. yiisoft/yii before version 1.1.29 are vulnerable to Remote Code Execution (RCE) if the application calls `unserialize()` on arbitrary user input. An attacker may leverage this vulnerability to compromise the host system. A fix has been dev
- CVE-2022-41922Nov 23, 2022affected < 1.1.27fixed 1.1.27
`yiisoft/yii` before version 1.1.27 are vulnerable to Remote Code Execution (RCE) if the application calls `unserialize()` on arbitrary user input. This has been patched in 1.1.27.
- CVE-2014-4672Jul 3, 2014affected >= 1.1.14, < 1.1.15fixed 1.1.15
The CDetailView widget in Yii PHP Framework 1.1.14 allows remote attackers to execute arbitrary PHP scripts via vectors related to the value property.