Yiisoft
Products
1- 9 CVEs
Recent CVEs
9| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-39850 | Hig | 0.41 | 7.4 | 0.00 | May 20, 2026 | Yii 2 is a PHP application framework. Versions 2.0.54 and prior contain flawed logic in the core view rendering method View::renderPhpFile() that leads to Local File Inclusion. The function calls extract($_params_, EXTR_OVERWRITE) before the require statement that loads the view… | ||
| CVE-2025-2690 | 0.00 | — | 0.01 | Mar 24, 2025 | A vulnerability, which was classified as critical, was found in yiisoft Yii2 up to 2.0.39. This affects the function Generate of the file phpunit\src\Framework\MockObject\MockClass.php. The manipulation leads to deserialization. It is possible to initiate the attack remotely.… | |||
| CVE-2025-2689 | 0.00 | — | 0.01 | Mar 24, 2025 | A vulnerability, which was classified as critical, has been found in yiisoft Yii2 up to 2.0.45. Affected by this issue is the function getIterator of the file symfony\finder\Iterator\SortableIterator.php. The manipulation leads to deserialization. The attack may be launched… | |||
| CVE-2024-4990 | 0.00 | — | 0.79 | Mar 20, 2025 | In yiisoft/yii2 version 2.0.48, the base Component class contains a vulnerability where the `__set()` magic method does not validate that the value passed is a valid Behavior class name or configuration. This allows an attacker to instantiate arbitrary classes, passing… | |||
| CVE-2024-32877 | 0.00 | — | 0.00 | May 30, 2024 | Yii 2 is a PHP application framework. During internal penetration testing of a product based on Yii2, users discovered a Cross-site Scripting (XSS) vulnerability within the framework itself. This issue is relevant for the latest version of Yii2 (2.0.49.3). This issue lies in the… | |||
| CVE-2021-3692 | 0.00 | — | 0.02 | Aug 10, 2021 | yii2 is vulnerable to Use of Predictable Algorithm in Random Number Generator | |||
| CVE-2021-3689 | 0.00 | — | 0.02 | Aug 10, 2021 | yii2 is vulnerable to Use of Predictable Algorithm in Random Number Generator | |||
| CVE-2020-15148 | 0.00 | — | 0.79 | Sep 15, 2020 | Yii 2 (yiisoft/yii2) before version 2.0.38 is vulnerable to remote code execution if the application calls `unserialize()` on arbitrary user input. This is fixed in version 2.0.38. A possible workaround without upgrading is available in the linked advisory. | |||
| CVE-2018-20745 | 0.00 | — | 0.01 | Jan 28, 2019 | Yii 2.x through 2.0.15.1 actively converts a wildcard CORS policy into reflecting an arbitrary Origin header value, which is incompatible with the CORS security design, and could lead to CORS misconfiguration security problems. |
- risk 0.41cvss 7.4epss 0.00
Yii 2 is a PHP application framework. Versions 2.0.54 and prior contain flawed logic in the core view rendering method View::renderPhpFile() that leads to Local File Inclusion. The function calls extract($_params_, EXTR_OVERWRITE) before the require statement that loads the view…
- CVE-2025-2690Mar 24, 2025risk 0.00cvss —epss 0.01
A vulnerability, which was classified as critical, was found in yiisoft Yii2 up to 2.0.39. This affects the function Generate of the file phpunit\src\Framework\MockObject\MockClass.php. The manipulation leads to deserialization. It is possible to initiate the attack remotely.…
- CVE-2025-2689Mar 24, 2025risk 0.00cvss —epss 0.01
A vulnerability, which was classified as critical, has been found in yiisoft Yii2 up to 2.0.45. Affected by this issue is the function getIterator of the file symfony\finder\Iterator\SortableIterator.php. The manipulation leads to deserialization. The attack may be launched…
- CVE-2024-4990Mar 20, 2025risk 0.00cvss —epss 0.79
In yiisoft/yii2 version 2.0.48, the base Component class contains a vulnerability where the `__set()` magic method does not validate that the value passed is a valid Behavior class name or configuration. This allows an attacker to instantiate arbitrary classes, passing…
- CVE-2024-32877May 30, 2024risk 0.00cvss —epss 0.00
Yii 2 is a PHP application framework. During internal penetration testing of a product based on Yii2, users discovered a Cross-site Scripting (XSS) vulnerability within the framework itself. This issue is relevant for the latest version of Yii2 (2.0.49.3). This issue lies in the…
- CVE-2021-3692Aug 10, 2021risk 0.00cvss —epss 0.02
yii2 is vulnerable to Use of Predictable Algorithm in Random Number Generator
- CVE-2021-3689Aug 10, 2021risk 0.00cvss —epss 0.02
yii2 is vulnerable to Use of Predictable Algorithm in Random Number Generator
- CVE-2020-15148Sep 15, 2020risk 0.00cvss —epss 0.79
Yii 2 (yiisoft/yii2) before version 2.0.38 is vulnerable to remote code execution if the application calls `unserialize()` on arbitrary user input. This is fixed in version 2.0.38. A possible workaround without upgrading is available in the linked advisory.
- CVE-2018-20745Jan 28, 2019risk 0.00cvss —epss 0.01
Yii 2.x through 2.0.15.1 actively converts a wildcard CORS policy into reflecting an arbitrary Origin header value, which is incompatible with the CORS security design, and could lead to CORS misconfiguration security problems.