cbcvebase.

Yiiframework Yii vulnerabilities

19 known vulnerabilities affecting yiiframework/yii.

Total CVEs
19
CISA KEV
1
actively exploited
Public exploits
2
Exploited in wild
1
Severity breakdown
CRITICAL11HIGH2MEDIUM6

Vulnerabilities

Page 1 of 1
CVE-2024-58136P1CRITICALCVSS 9.8KEVPoCfixed in 2.0.522025-04-10
CVE-2024-58136 [CRITICAL] CVE-2024-58136: Yii 2 before 2.0.52 mishandles the attaching of behavior that is defined by an __class array key, a Yii 2 before 2.0.52 mishandles the attaching of behavior that is defined by an __class array key, a CVE-2024-4990 regression, as exploited in the wild in February through April 2025.
nvd
CVE-2020-15148P1CRITICALCVSS 10.0PoCfixed in 2.0.382020-09-15
CVE-2020-15148 [CRITICAL] CWE-502 CVE-2020-15148: Yii 2 (yiisoft/yii2) before version 2.0.38 is vulnerable to remote code execution if the application Yii 2 (yiisoft/yii2) before version 2.0.38 is vulnerable to remote code execution if the application calls `unserialize()` on arbitrary user input. This is fixed in version 2.0.38. A possible workaround without upgrading is available in the linked advisory.
nvd
CVE-2024-4990P2CRITICALCVSS 9.1v2.0.48≥ 2, < 2.0.522025-03-20
CVE-2024-4990 [CRITICAL] CWE-470 CVE-2024-4990: In yiisoft/yii2 version 2.0.48, the base Component class contains a vulnerability where the `__set() In yiisoft/yii2 version 2.0.48, the base Component class contains a vulnerability where the `__set()` magic method does not validate that the value passed is a valid Behavior class name or configuration. This allows an attacker to instantiate arbitrary classes, passing parameters to their constructors and invoking setter methods. Depending on the in
nvd
CVE-2023-47130P2CRITICALCVSS 9.8fixed in 1.1.292023-11-14
CVE-2023-47130 [CRITICAL] CWE-502 CVE-2023-47130: Yii is an open source PHP web framework. yiisoft/yii before version 1.1.29 are vulnerable to Remote Yii is an open source PHP web framework. yiisoft/yii before version 1.1.29 are vulnerable to Remote Code Execution (RCE) if the application calls `unserialize()` on arbitrary user input. An attacker may leverage this vulnerability to compromise the host system. A fix has been developed for the 1.1.29 release. Users are advised to upgrade. There are
nvd
CVE-2025-2690P2CRITICALCVSS 9.8≥ 2.0.0, ≤ 2.0.392025-03-24
CVE-2025-2690 [CRITICAL] CWE-20 CVE-2025-2690: A vulnerability, which was classified as critical, was found in yiisoft Yii2 up to 2.0.39. This affe A vulnerability, which was classified as critical, was found in yiisoft Yii2 up to 2.0.39. This affects the function Generate of the file phpunit\src\Framework\MockObject\MockClass.php. The manipulation leads to deserialization. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
nvd
CVE-2025-2689P3CRITICALCVSS 9.8≥ 2.0.0, ≤ 2.0.452025-03-24
CVE-2025-2689 [CRITICAL] CWE-20 CVE-2025-2689: A vulnerability, which was classified as critical, has been found in yiisoft Yii2 up to 2.0.45. Affe A vulnerability, which was classified as critical, has been found in yiisoft Yii2 up to 2.0.45. Affected by this issue is the function getIterator of the file symfony\finder\Iterator\SortableIterator.php. The manipulation leads to deserialization. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
nvd
CVE-2022-41922P3CRITICALCVSS 9.8fixed in 1.1.272022-11-23
CVE-2022-41922 [CRITICAL] CWE-502 CVE-2022-41922: `yiisoft/yii` before version 1.1.27 are vulnerable to Remote Code Execution (RCE) if the application `yiisoft/yii` before version 1.1.27 are vulnerable to Remote Code Execution (RCE) if the application calls `unserialize()` on arbitrary user input. This has been patched in 1.1.27.
nvd
CVE-2023-26750P3CRITICALCVSS 9.8≥ 2.0.0, ≤ 2.0.472023-04-04
CVE-2023-26750 [CRITICAL] CWE-89 CVE-2023-26750: SQL injection vulnerability found in Yii Framework Yii 2 Framework before v.2.0.47 allows the a remo SQL injection vulnerability found in Yii Framework Yii 2 Framework before v.2.0.47 allows the a remote attacker to execute arbitrary code via the runAction function. NOTE: the software maintainer's position is that the vulnerability is in third-party code, not in the framework.
nvd
CVE-2018-8073P3CRITICALCVSS 9.8fixed in 2.0.152018-03-21
CVE-2018-8073 [CRITICAL] CVE-2018-8073: Yii 2.x before 2.0.15 allows remote attackers to execute arbitrary LUA code via a variant of the CVE Yii 2.x before 2.0.15 allows remote attackers to execute arbitrary LUA code via a variant of the CVE-2018-7269 attack in conjunction with the Redis extension.
nvd
CVE-2018-7269P3CRITICALCVSS 9.8≥ 2.0.0, < 2.0.152018-03-21
CVE-2018-7269 [CRITICAL] CWE-89 CVE-2018-7269: The findByCondition function in framework/db/ActiveRecord.php in Yii 2.x before 2.0.15 allows remote The findByCondition function in framework/db/ActiveRecord.php in Yii 2.x before 2.0.15 allows remote attackers to conduct SQL injection attacks via a findOne() or findAll() call, unless a developer recognizes an undocumented need to sanitize array input.
nvd
CVE-2015-5467P3CRITICALCVSS 9.8≥ 2.0.0, < 2.0.52023-09-21
CVE-2015-5467 [CRITICAL] CWE-22 CVE-2015-5467: web\ViewAction in Yii (aka Yii2) 2.x before 2.0.5 allows attackers to execute any local .php file vi web\ViewAction in Yii (aka Yii2) 2.x before 2.0.5 allows attackers to execute any local .php file via a relative path in the view parameeter.
nvd
CVE-2018-8074P3HIGHCVSS 8.1≥ 2.0.0, < 2.0.152018-03-21
CVE-2018-8074 [HIGH] CVE-2018-8074: Yii 2.x before 2.0.15 allows remote attackers to inject unintended search conditions via a variant o Yii 2.x before 2.0.15 allows remote attackers to inject unintended search conditions via a variant of the CVE-2018-7269 attack in conjunction with the Elasticsearch extension.
nvd
CVE-2021-3689P3HIGHCVSS 7.5≥ 2.0.0, < 2.0.432021-08-10
CVE-2021-3689 [HIGH] CWE-1241 CVE-2021-3689: yii2 is vulnerable to Use of Predictable Algorithm in Random Number Generator yii2 is vulnerable to Use of Predictable Algorithm in Random Number Generator
nvd
CVE-2018-20745P4MEDIUMCVSS 5.9≥ 2.0, ≤ 2.0.15.12019-01-28
CVE-2018-20745 [MEDIUM] CWE-346 CVE-2018-20745: Yii 2.x through 2.0.15.1 actively converts a wildcard CORS policy into reflecting an arbitrary Origi Yii 2.x through 2.0.15.1 actively converts a wildcard CORS policy into reflecting an arbitrary Origin header value, which is incompatible with the CORS security design, and could lead to CORS misconfiguration security problems.
nvd
CVE-2021-3692P4MEDIUMCVSS 5.3≥ 2.0.0, < 2.0.432021-08-10
CVE-2021-3692 [MEDIUM] CWE-1241 CVE-2021-3692: yii2 is vulnerable to Use of Predictable Algorithm in Random Number Generator yii2 is vulnerable to Use of Predictable Algorithm in Random Number Generator
nvd
CVE-2017-11516P4MEDIUMCVSS 6.1v2.0.122017-07-21
CVE-2017-11516 [MEDIUM] CWE-79 CVE-2017-11516: An XSS vulnerability exists in framework/views/errorHandler/exception.php in Yii Framework 2.0.12 af An XSS vulnerability exists in framework/views/errorHandler/exception.php in Yii Framework 2.0.12 affecting the exception screen when debug mode is enabled, because $exception->errorInfo is mishandled.
nvd
CVE-2022-31454P4MEDIUMCVSS 6.1v2.0.452023-07-28
CVE-2022-31454 [MEDIUM] CWE-79 CVE-2022-31454: Yii 2 v2.0.45 was discovered to contain a cross-site scripting (XSS) vulnerability via the endpoint Yii 2 v2.0.45 was discovered to contain a cross-site scripting (XSS) vulnerability via the endpoint /books. NOTE: this is disputed by the vendor because the cve-2022-31454-8e8555c31fd3 page does not describe why /books has a relationship to Yii 2.
nvd
CVE-2025-32027P4MEDIUMCVSS 6.1fixed in 1.1.312025-04-10
CVE-2025-32027 [MEDIUM] CWE-79 CVE-2025-32027: Yii is an open source PHP web framework. Prior to 1.1.31, yiisoft/yii is vulnerable to Reflected XSS Yii is an open source PHP web framework. Prior to 1.1.31, yiisoft/yii is vulnerable to Reflected XSS in specific scenarios where the fallback error renderer is used. Upgrade yiisoft/yii to version 1.1.31 or higher.
nvd
CVE-2024-32877P4MEDIUMCVSS 4.7v2.0.49.32024-05-30
CVE-2024-32877 [MEDIUM] CWE-79 CVE-2024-32877: Yii 2 is a PHP application framework. During internal penetration testing of a product based on Yii2 Yii 2 is a PHP application framework. During internal penetration testing of a product based on Yii2, users discovered a Cross-site Scripting (XSS) vulnerability within the framework itself. This issue is relevant for the latest version of Yii2 (2.0.49.3). This issue lies in the mechanism for displaying function argument values in the stack trace. Th
nvd
Yiiframework Yii vulnerabilities | cvebase