VYPR
Vendor

Yiisoft

Products
1
CVEs
9
Across products
9
Status
Private

Products

1

Recent CVEs

9
  • CVE-2026-39850HigMay 20, 2026
    risk 0.41cvss 7.4epss 0.00

    Yii 2 is a PHP application framework. Versions 2.0.54 and prior contain flawed logic in the core view rendering method View::renderPhpFile() that leads to Local File Inclusion. The function calls extract($_params_, EXTR_OVERWRITE) before the require statement that loads the view…

  • CVE-2025-2690Mar 24, 2025
    risk 0.00cvss epss 0.01

    A vulnerability, which was classified as critical, was found in yiisoft Yii2 up to 2.0.39. This affects the function Generate of the file phpunit\src\Framework\MockObject\MockClass.php. The manipulation leads to deserialization. It is possible to initiate the attack remotely.…

  • CVE-2025-2689Mar 24, 2025
    risk 0.00cvss epss 0.01

    A vulnerability, which was classified as critical, has been found in yiisoft Yii2 up to 2.0.45. Affected by this issue is the function getIterator of the file symfony\finder\Iterator\SortableIterator.php. The manipulation leads to deserialization. The attack may be launched…

  • CVE-2024-4990Mar 20, 2025
    risk 0.00cvss epss 0.79

    In yiisoft/yii2 version 2.0.48, the base Component class contains a vulnerability where the `__set()` magic method does not validate that the value passed is a valid Behavior class name or configuration. This allows an attacker to instantiate arbitrary classes, passing…

  • CVE-2024-32877May 30, 2024
    risk 0.00cvss epss 0.00

    Yii 2 is a PHP application framework. During internal penetration testing of a product based on Yii2, users discovered a Cross-site Scripting (XSS) vulnerability within the framework itself. This issue is relevant for the latest version of Yii2 (2.0.49.3). This issue lies in the…

  • CVE-2021-3692Aug 10, 2021
    risk 0.00cvss epss 0.02

    yii2 is vulnerable to Use of Predictable Algorithm in Random Number Generator

  • CVE-2021-3689Aug 10, 2021
    risk 0.00cvss epss 0.02

    yii2 is vulnerable to Use of Predictable Algorithm in Random Number Generator

  • CVE-2020-15148Sep 15, 2020
    risk 0.00cvss epss 0.79

    Yii 2 (yiisoft/yii2) before version 2.0.38 is vulnerable to remote code execution if the application calls `unserialize()` on arbitrary user input. This is fixed in version 2.0.38. A possible workaround without upgrading is available in the linked advisory.

  • CVE-2018-20745Jan 28, 2019
    risk 0.00cvss epss 0.01

    Yii 2.x through 2.0.15.1 actively converts a wildcard CORS policy into reflecting an arbitrary Origin header value, which is incompatible with the CORS security design, and could lead to CORS misconfiguration security problems.