Yiisoft Yii2 vulnerabilities
15 known vulnerabilities affecting yiisoft/yii2.
Total CVEs
15
CISA KEV
1
actively exploited
Public exploits
2
Exploited in wild
1
Severity breakdown
CRITICAL6HIGH4MEDIUM5
Vulnerabilities
Page 1 of 1
CVE-2024-58136P1CRITICALCVSS 9.1KEVPoC≥ 0, < 2.0.522025-04-10
CVE-2024-58136 [CRITICAL] CWE-424 yiisoft/yii2 Mishandles the Attaching of Behavior Defined by a `__class` Array Key
yiisoft/yii2 Mishandles the Attaching of Behavior Defined by a `__class` Array Key
Yii 2 before 2.0.52 mishandles the attaching of behavior that is defined by an __class array key, a CVE-2024-4990 regression, as exploited in the wild in February through April 2025.
ghsaosv
CVE-2020-15148P1CRITICALCVSS 10.0PoCfixed in 2.0.382020-09-15
CVE-2020-15148 [CRITICAL] CWE-502 CVE-2020-15148: Yii 2 (yiisoft/yii2) before version 2.0.38 is vulnerable to remote code execution if the application
Yii 2 (yiisoft/yii2) before version 2.0.38 is vulnerable to remote code execution if the application calls `unserialize()` on arbitrary user input. This is fixed in version 2.0.38. A possible workaround without upgrading is available in the linked advisory.
ghsanvdosv
CVE-2024-4990P2HIGH≥ 0, < 2.0.49.42024-06-02
CVE-2024-4990 [HIGH] CWE-470 Unsafe Reflection in base Component class in yiisoft/yii2
Unsafe Reflection in base Component class in yiisoft/yii2
Yii2 supports attaching Behaviors to Components by setting properties having the format `'as '`.
Internally this is done using the `__set()` magic method. If the value passed to this method is not an instance of the `Behavior` class, a new object is instantiated using `Yii::createObject($value)`. However, there is no validation check that verifies tha
ghsaosv
CVE-2025-2690P2CRITICALCVSS 9.8v2.0.0v2.0.1+38 more2025-03-24
CVE-2025-2690 [CRITICAL] CWE-20 CVE-2025-2690: A vulnerability, which was classified as critical, was found in yiisoft Yii2 up to 2.0.39. This affe
A vulnerability, which was classified as critical, was found in yiisoft Yii2 up to 2.0.39. This affects the function Generate of the file phpunit\src\Framework\MockObject\MockClass.php. The manipulation leads to deserialization. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
nvd
CVE-2025-2689P3CRITICALCVSS 9.8v2.0.0v2.0.1+44 more2025-03-24
CVE-2025-2689 [CRITICAL] CWE-20 CVE-2025-2689: A vulnerability, which was classified as critical, has been found in yiisoft Yii2 up to 2.0.45. Affe
A vulnerability, which was classified as critical, has been found in yiisoft Yii2 up to 2.0.45. Affected by this issue is the function getIterator of the file symfony\finder\Iterator\SortableIterator.php. The manipulation leads to deserialization. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
nvd
CVE-2023-26750P3CRITICAL≥ 0, < 2.0.472023-04-04
CVE-2023-26750 [CRITICAL] CWE-79 Withdrawn: SQL injection in Yii 2
Withdrawn: SQL injection in Yii 2
## Withdrawn Advisory
This advisory has been withdrawn because the issue originates from a product built on Yii2, not the Yii2 Framework itself. This link is maintained to preserve external references.
## Original Description
SQL injection vulnerability found in Yii Framework Yii 2 Framework before v.2.0.47 allows the a remote attacker to execute arbitrary code via the runAction function.
ghsa
CVE-2026-39850P3HIGHCVSS 7.4fixed in 2.0.552026-05-20
CVE-2026-39850 [HIGH] CWE-20 CVE-2026-39850: Yii 2 is a PHP application framework. Versions 2.0.54 and prior contain flawed logic in the core vie
Yii 2 is a PHP application framework. Versions 2.0.54 and prior contain flawed logic in the core view rendering method View::renderPhpFile() that leads to Local File Inclusion. The function calls extract($_params_, EXTR_OVERWRITE) before the require statement that loads the view file. As a result, a caller-controlled _file_ key in the $params array ove
ghsanvd
CVE-2015-5467P3CRITICAL≥ 2.0.0, < 2.0.52023-09-21
CVE-2015-5467 [CRITICAL] CWE-22 Yii2 allows attackers to execute any local .php file via a relative path in the view parameter
Yii2 allows attackers to execute any local .php file via a relative path in the view parameter
web\ViewAction in Yii (aka Yii2) 2.x before 2.0.5 allows attackers to execute any local .php file via a relative path in the view parameeter.
ghsaosv
CVE-2018-6010P3HIGH≥ 2.0.0, < 2.0.142022-05-13
CVE-2018-6010 [HIGH] CWE-79 Yii Framework reflected Cross-site Scripting
Yii Framework reflected Cross-site Scripting
In Yii Framework 2.x before 2.0.14, remote attackers could obtain potentially sensitive information from exception messages, or exploit reflected XSS on the error handler page in non-debug mode. Related to base/ErrorHandler.php, log/Dispatcher.php, and views/errorHandler/exception.php.
ghsaosv
CVE-2018-6009P3HIGH≥ 2.0, < 2.0.142022-05-14
CVE-2018-6009 [HIGH] CWE-352 Yii Framework Cross-Site Request Forgery (CSRF)
Yii Framework Cross-Site Request Forgery (CSRF)
In Yii Framework 2.x before 2.0.14, the switchIdentity function in web/User.php did not regenerate the CSRF token upon a change of identity.
ghsaosv
CVE-2018-20745P4MEDIUM≥ 0, < 2.0.162022-05-14
CVE-2018-20745 [MEDIUM] CWE-346 Yii Incorrectly Implements CORS
Yii Incorrectly Implements CORS
Yii 2.x through 2.0.15.1 actively converts a wildcard CORS policy into reflecting an arbitrary Origin header value, which is incompatible with the CORS security design, and could lead to CORS misconfiguration security problems.
ghsaosv
CVE-2017-7271P4MEDIUM≥ 0, < 2.0.112022-05-17
CVE-2017-7271 [MEDIUM] CWE-79 Yii Framework Reflected XSS
Yii Framework Reflected XSS
Reflected Cross-site scripting (XSS) vulnerability in Yii Framework before 2.0.11, when development mode is used, allows remote attackers to inject arbitrary web script or HTML via crafted request data that is mishandled on the debug-mode exception screen.
ghsaosv
CVE-2017-11516P4MEDIUM≥ 2.0.12, < 2.0.132022-05-17
CVE-2017-11516 [MEDIUM] CWE-79 Yii Cross-site Scripting Framework vulnerability
Yii Cross-site Scripting Framework vulnerability
An XSS vulnerability exists in framework/views/errorHandler/exception.php in Yii Framework 2.0.12 affecting the exception screen when debug mode is enabled, because $exception->errorInfo is mishandled.
ghsaosv
CVE-2024-32877P4MEDIUMCVSS 4.7v= 2.0.49.32024-05-30
CVE-2024-32877 [MEDIUM] CWE-79 CVE-2024-32877: Yii 2 is a PHP application framework. During internal penetration testing of a product based on Yii2
Yii 2 is a PHP application framework. During internal penetration testing of a product based on Yii2, users discovered a Cross-site Scripting (XSS) vulnerability within the framework itself. This issue is relevant for the latest version of Yii2 (2.0.49.3). This issue lies in the mechanism for displaying function argument values in the stack trace. Th
ghsanvdosv
CVE-2015-3397P4MEDIUM≥ 0, < 2.0.42022-05-17
CVE-2015-3397 [MEDIUM] CWE-79 Yii Framework Cross-site Scripting Vulnerability
Yii Framework Cross-site Scripting Vulnerability
Cross-site scripting (XSS) vulnerability in Yii Framework before 2.0.4 allows remote attackers to inject arbitrary web script or HTML via vectors related to JSON, arrays, and Internet Explorer 6 or 7.
ghsaosv