Yii 2

CVEs (12)

CVE	Vendor / Product	Sev	Risk	CVSS	EPSS	KEV	Published	Description
CVE-2017-7271	Yii Software Yii	Med	0.33	6.1	0.00		Mar 27, 2017	Reflected Cross-site scripting (XSS) vulnerability in Yii Framework before 2.0.11, when development mode is used, allows remote attackers to inject arbitrary web script or HTML via crafted request data that is mishandled on the debug-mode exception screen.
CVE-2024-58136	Yiiframework Yii		0.11	—	0.79	KEV	Apr 10, 2025	Yii 2 before 2.0.52 mishandles the attaching of behavior that is defined by an __class array key, a CVE-2024-4990 regression, as exploited in the wild in February through April 2025.
CVE-2022-31454	Yii Yii 2		0.00	—	0.00		Jul 28, 2023	Yii 2 v2.0.45 was discovered to contain a cross-site scripting (XSS) vulnerability via the endpoint /books. NOTE: this is disputed by the vendor because the cve-2022-31454-8e8555c31fd3 page does not describe why /books has a relationship to Yii 2.
CVE-2020-36655	Yii Yii 2		0.00	—	0.04		Jan 21, 2023	Yii Yii2 Gii before 2.2.2 allows remote attackers to execute arbitrary code via the Generator.php messageCategory field. The attacker can embed arbitrary PHP code into the model file.
CVE-2022-34297	Yii Yii 2		0.00	—	0.00		Dec 9, 2022	Yii Yii2 Gii through 2.2.4 allows stored XSS by injecting a payload into any field.
CVE-2018-8073	Yii Yii 2		0.00	—	0.01		Mar 21, 2018	Yii 2.x before 2.0.15 allows remote attackers to execute arbitrary LUA code via a variant of the CVE-2018-7269 attack in conjunction with the Redis extension.
CVE-2018-7269	Yii Yii 2		0.00	—	0.01		Mar 21, 2018	The findByCondition function in framework/db/ActiveRecord.php in Yii 2.x before 2.0.15 allows remote attackers to conduct SQL injection attacks via a findOne() or findAll() call, unless a developer recognizes an undocumented need to sanitize array input.
CVE-2018-8074	Yii Yii 2		0.00	—	0.01		Mar 21, 2018	Yii 2.x before 2.0.15 allows remote attackers to inject unintended search conditions via a variant of the CVE-2018-7269 attack in conjunction with the Elasticsearch extension.
CVE-2018-6009	Yii Yii 2		0.00	—	0.00		Jan 22, 2018	In Yii Framework 2.x before 2.0.14, the switchIdentity function in web/User.php did not regenerate the CSRF token upon a change of identity.
CVE-2018-6010	Yii Yii 2		0.00	—	0.01		Jan 22, 2018	In Yii Framework 2.x before 2.0.14, remote attackers could obtain potentially sensitive information from exception messages, or exploit reflected XSS on the error handler page in non-debug mode. Related to base/ErrorHandler.php, log/Dispatcher.php, and…
CVE-2015-3397	Yiiframework Yiiframework		0.00	—	0.00		May 14, 2015	Cross-site scripting (XSS) vulnerability in Yii Framework before 2.0.4 allows remote attackers to inject arbitrary web script or HTML via vectors related to JSON, arrays, and Internet Explorer 6 or 7.
CVE-2014-4672	Yiiframework Yiiframework		0.00	—	0.01		Jul 3, 2014	The CDetailView widget in Yii PHP Framework 1.1.14 allows remote attackers to execute arbitrary PHP scripts via vectors related to the value property.

CVE-2017-7271MedMar 27, 2017
Yii Software
Yii
risk 0.33cvss 6.1epss 0.00
Reflected Cross-site scripting (XSS) vulnerability in Yii Framework before 2.0.11, when development mode is used, allows remote attackers to inject arbitrary web script or HTML via crafted request data that is mishandled on the debug-mode exception screen.
CVE-2024-58136KEVApr 10, 2025
Yiiframework
Yii
risk 0.11cvss —epss 0.79
Yii 2 before 2.0.52 mishandles the attaching of behavior that is defined by an __class array key, a CVE-2024-4990 regression, as exploited in the wild in February through April 2025.
CVE-2022-31454Jul 28, 2023
Yii
Yii 2
risk 0.00cvss —epss 0.00
Yii 2 v2.0.45 was discovered to contain a cross-site scripting (XSS) vulnerability via the endpoint /books. NOTE: this is disputed by the vendor because the cve-2022-31454-8e8555c31fd3 page does not describe why /books has a relationship to Yii 2.
CVE-2020-36655Jan 21, 2023
Yii
Yii 2
risk 0.00cvss —epss 0.04
Yii Yii2 Gii before 2.2.2 allows remote attackers to execute arbitrary code via the Generator.php messageCategory field. The attacker can embed arbitrary PHP code into the model file.
CVE-2022-34297Dec 9, 2022
Yii
Yii 2
risk 0.00cvss —epss 0.00
Yii Yii2 Gii through 2.2.4 allows stored XSS by injecting a payload into any field.
CVE-2018-8073Mar 21, 2018
Yii
Yii 2
risk 0.00cvss —epss 0.01
Yii 2.x before 2.0.15 allows remote attackers to execute arbitrary LUA code via a variant of the CVE-2018-7269 attack in conjunction with the Redis extension.
CVE-2018-7269Mar 21, 2018
Yii
Yii 2
risk 0.00cvss —epss 0.01
The findByCondition function in framework/db/ActiveRecord.php in Yii 2.x before 2.0.15 allows remote attackers to conduct SQL injection attacks via a findOne() or findAll() call, unless a developer recognizes an undocumented need to sanitize array input.
CVE-2018-8074Mar 21, 2018
Yii
Yii 2
risk 0.00cvss —epss 0.01
Yii 2.x before 2.0.15 allows remote attackers to inject unintended search conditions via a variant of the CVE-2018-7269 attack in conjunction with the Elasticsearch extension.
CVE-2018-6009Jan 22, 2018
Yii
Yii 2
risk 0.00cvss —epss 0.00
In Yii Framework 2.x before 2.0.14, the switchIdentity function in web/User.php did not regenerate the CSRF token upon a change of identity.
CVE-2018-6010Jan 22, 2018
Yii
Yii 2
risk 0.00cvss —epss 0.01
In Yii Framework 2.x before 2.0.14, remote attackers could obtain potentially sensitive information from exception messages, or exploit reflected XSS on the error handler page in non-debug mode. Related to base/ErrorHandler.php, log/Dispatcher.php, and…
CVE-2015-3397May 14, 2015
Yiiframework
Yiiframework
risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in Yii Framework before 2.0.4 allows remote attackers to inject arbitrary web script or HTML via vectors related to JSON, arrays, and Internet Explorer 6 or 7.
CVE-2014-4672Jul 3, 2014
Yiiframework
Yiiframework
risk 0.00cvss —epss 0.01
The CDetailView widget in Yii PHP Framework 1.1.14 allows remote attackers to execute arbitrary PHP scripts via vectors related to the value property.