Packagist (Composer) package
yiisoft/yii2
pkg:composer/yiisoft/yii2
Vulnerabilities (13)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-39850 | Hig | 7.4 | < 2.0.55 | 2.0.55 | May 20, 2026 | Yii 2 is a PHP application framework. Versions 2.0.54 and prior contain flawed logic in the core view rendering method View::renderPhpFile() that leads to Local File Inclusion. The function calls extract($_params_, EXTR_OVERWRITE) before the require statement that loads the view | |
| CVE-2024-58136 | — | KEV | < 2.0.52 | 2.0.52 | Apr 10, 2025 | Yii 2 before 2.0.52 mishandles the attaching of behavior that is defined by an __class array key, a CVE-2024-4990 regression, as exploited in the wild in February through April 2025. | |
| CVE-2024-4990 | — | < 2.0.49.4 | 2.0.49.4 | Mar 20, 2025 | In yiisoft/yii2 version 2.0.48, the base Component class contains a vulnerability where the `__set()` magic method does not validate that the value passed is a valid Behavior class name or configuration. This allows an attacker to instantiate arbitrary classes, passing parameters | ||
| CVE-2024-32877 | — | >= 2.0.43, < 2.0.49.4 | 2.0.49.4 | May 30, 2024 | Yii 2 is a PHP application framework. During internal penetration testing of a product based on Yii2, users discovered a Cross-site Scripting (XSS) vulnerability within the framework itself. This issue is relevant for the latest version of Yii2 (2.0.49.3). This issue lies in the | ||
| CVE-2015-5467 | — | >= 2.0.0, < 2.0.5 | 2.0.5 | Sep 21, 2023 | web\ViewAction in Yii (aka Yii2) 2.x before 2.0.5 allows attackers to execute any local .php file via a relative path in the view parameeter. | ||
| CVE-2023-26750 | — | < 2.0.47 | 2.0.47 | Apr 4, 2023 | SQL injection vulnerability found in Yii Framework Yii 2 Framework before v.2.0.47 allows the a remote attacker to execute arbitrary code via the runAction function. NOTE: the software maintainer's position is that the vulnerability is in third-party code, not in the framework. | ||
| CVE-2020-15148 | — | < 2.0.38 | 2.0.38 | Sep 15, 2020 | Yii 2 (yiisoft/yii2) before version 2.0.38 is vulnerable to remote code execution if the application calls `unserialize()` on arbitrary user input. This is fixed in version 2.0.38. A possible workaround without upgrading is available in the linked advisory. | ||
| CVE-2018-20745 | — | < 2.0.16 | 2.0.16 | Jan 28, 2019 | Yii 2.x through 2.0.15.1 actively converts a wildcard CORS policy into reflecting an arbitrary Origin header value, which is incompatible with the CORS security design, and could lead to CORS misconfiguration security problems. | ||
| CVE-2018-6010 | — | >= 2.0.0, < 2.0.14 | 2.0.14 | Jan 22, 2018 | In Yii Framework 2.x before 2.0.14, remote attackers could obtain potentially sensitive information from exception messages, or exploit reflected XSS on the error handler page in non-debug mode. Related to base/ErrorHandler.php, log/Dispatcher.php, and views/errorHandler/exceptio | ||
| CVE-2018-6009 | — | >= 2.0, < 2.0.14 | 2.0.14 | Jan 22, 2018 | In Yii Framework 2.x before 2.0.14, the switchIdentity function in web/User.php did not regenerate the CSRF token upon a change of identity. | ||
| CVE-2017-11516 | Med | 6.1 | >= 2.0.12, < 2.0.13 | 2.0.13 | Jul 21, 2017 | An XSS vulnerability exists in framework/views/errorHandler/exception.php in Yii Framework 2.0.12 affecting the exception screen when debug mode is enabled, because $exception->errorInfo is mishandled. | |
| CVE-2017-7271 | Med | 6.1 | < 2.0.11 | 2.0.11 | Mar 27, 2017 | Reflected Cross-site scripting (XSS) vulnerability in Yii Framework before 2.0.11, when development mode is used, allows remote attackers to inject arbitrary web script or HTML via crafted request data that is mishandled on the debug-mode exception screen. | |
| CVE-2015-3397 | — | < 2.0.4 | 2.0.4 | May 14, 2015 | Cross-site scripting (XSS) vulnerability in Yii Framework before 2.0.4 allows remote attackers to inject arbitrary web script or HTML via vectors related to JSON, arrays, and Internet Explorer 6 or 7. |
- affected < 2.0.55fixed 2.0.55
Yii 2 is a PHP application framework. Versions 2.0.54 and prior contain flawed logic in the core view rendering method View::renderPhpFile() that leads to Local File Inclusion. The function calls extract($_params_, EXTR_OVERWRITE) before the require statement that loads the view
- affected < 2.0.52fixed 2.0.52
Yii 2 before 2.0.52 mishandles the attaching of behavior that is defined by an __class array key, a CVE-2024-4990 regression, as exploited in the wild in February through April 2025.
- CVE-2024-4990Mar 20, 2025affected < 2.0.49.4fixed 2.0.49.4
In yiisoft/yii2 version 2.0.48, the base Component class contains a vulnerability where the `__set()` magic method does not validate that the value passed is a valid Behavior class name or configuration. This allows an attacker to instantiate arbitrary classes, passing parameters
- CVE-2024-32877May 30, 2024affected >= 2.0.43, < 2.0.49.4fixed 2.0.49.4
Yii 2 is a PHP application framework. During internal penetration testing of a product based on Yii2, users discovered a Cross-site Scripting (XSS) vulnerability within the framework itself. This issue is relevant for the latest version of Yii2 (2.0.49.3). This issue lies in the
- CVE-2015-5467Sep 21, 2023affected >= 2.0.0, < 2.0.5fixed 2.0.5
web\ViewAction in Yii (aka Yii2) 2.x before 2.0.5 allows attackers to execute any local .php file via a relative path in the view parameeter.
- CVE-2023-26750Apr 4, 2023affected < 2.0.47fixed 2.0.47
SQL injection vulnerability found in Yii Framework Yii 2 Framework before v.2.0.47 allows the a remote attacker to execute arbitrary code via the runAction function. NOTE: the software maintainer's position is that the vulnerability is in third-party code, not in the framework.
- CVE-2020-15148Sep 15, 2020affected < 2.0.38fixed 2.0.38
Yii 2 (yiisoft/yii2) before version 2.0.38 is vulnerable to remote code execution if the application calls `unserialize()` on arbitrary user input. This is fixed in version 2.0.38. A possible workaround without upgrading is available in the linked advisory.
- CVE-2018-20745Jan 28, 2019affected < 2.0.16fixed 2.0.16
Yii 2.x through 2.0.15.1 actively converts a wildcard CORS policy into reflecting an arbitrary Origin header value, which is incompatible with the CORS security design, and could lead to CORS misconfiguration security problems.
- CVE-2018-6010Jan 22, 2018affected >= 2.0.0, < 2.0.14fixed 2.0.14
In Yii Framework 2.x before 2.0.14, remote attackers could obtain potentially sensitive information from exception messages, or exploit reflected XSS on the error handler page in non-debug mode. Related to base/ErrorHandler.php, log/Dispatcher.php, and views/errorHandler/exceptio
- CVE-2018-6009Jan 22, 2018affected >= 2.0, < 2.0.14fixed 2.0.14
In Yii Framework 2.x before 2.0.14, the switchIdentity function in web/User.php did not regenerate the CSRF token upon a change of identity.
- affected >= 2.0.12, < 2.0.13fixed 2.0.13
An XSS vulnerability exists in framework/views/errorHandler/exception.php in Yii Framework 2.0.12 affecting the exception screen when debug mode is enabled, because $exception->errorInfo is mishandled.
- affected < 2.0.11fixed 2.0.11
Reflected Cross-site scripting (XSS) vulnerability in Yii Framework before 2.0.11, when development mode is used, allows remote attackers to inject arbitrary web script or HTML via crafted request data that is mishandled on the debug-mode exception screen.
- CVE-2015-3397May 14, 2015affected < 2.0.4fixed 2.0.4
Cross-site scripting (XSS) vulnerability in Yii Framework before 2.0.4 allows remote attackers to inject arbitrary web script or HTML via vectors related to JSON, arrays, and Internet Explorer 6 or 7.