CVE-2026-39850
published 2026-05-20CVE-2026-39850: Yii 2 is a PHP application framework. Versions 2.0.54 and prior contain flawed logic in the core view rendering method View::renderPhpFile() that leads to…
PriorityP347high7.4CVSS 3.1
AVNACHPRNUINSUCHIHAN
EPSS
0.44%
35.3th percentile
Yii 2 is a PHP application framework. Versions 2.0.54 and prior contain flawed logic in the core view rendering method View::renderPhpFile() that leads to Local File Inclusion. The function calls extract($_params_, EXTR_OVERWRITE) before the require statement that loads the view file. As a result, a caller-controlled _file_ key in the $params array overwrites the internal local variable specifying which file to include, potentially enabling RCE if an attacker can write PHP files through a separate primitive, as well as information disclosure. This issue has been fixed in version 2.0.55.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| yiisoft | yii2 | < 2.0.55 | 2.0.55 |
| yiisoft | yii2 | >= 0 < 2.0.55 | 2.0.55 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
yiisoft yii2 up to 2.0.54 PHP File View::renderPhpFile _params_ input validation (GHSA-5vpg-rj7q-qpw2)
vuldb·2026-05-20·CVSS 7.4
CVE-2026-39850 [HIGH] yiisoft yii2 up to 2.0.54 PHP File View::renderPhpFile _params_ input validation (GHSA-5vpg-rj7q-qpw2)
A vulnerability marked as problematic has been reported in yiisoft yii2 up to 2.0.54. This affects the function View::renderPhpFile of the component PHP File Handler. The manipulation of the argument _params_ leads to improper input validation.
This vulnerability is traded as CVE-2026-39850. It is possible to initiate the attack remotely. There is no exploit available.
It is suggested to upgrade the affected component.
GHSA
Yii 2: Local file inclusion via view parameter name collision
ghsa·2026-05-11
CVE-2026-39850 [HIGH] CWE-20 Yii 2: Local file inclusion via view parameter name collision
Yii 2: Local file inclusion via view parameter name collision
The core view rendering method `View::renderPhpFile()` calls `extract($_params_, EXTR_OVERWRITE)` before the `require` statement that includes the view file. A caller-controlled parameter named `_file_` in the `$params` array overwrites the internal local variable that specifies which file is included — enabling a Local File Inclusion primitive.
### Impact
- Local File Inclusion (arbitrary file read via non-PHP files)
- Potential RCE if attacker can write PHP files via a separate primitive
- Information disclosure
### Patches
2.0.55
### Workarounds
No.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-20
Published