cbcvebase.

Yiisoft Yii2 vulnerabilities

15 known vulnerabilities affecting yiisoft/yii2.

Total CVEs
15
CISA KEV
1
actively exploited
Public exploits
2
Exploited in wild
1
Severity breakdown
CRITICAL6HIGH4MEDIUM5

Vulnerabilities

Page 1 of 1
CVE-2024-58136P1CRITICALCVSS 9.1KEVPoC≥ 0, < 2.0.522025-04-10
CVE-2024-58136 [CRITICAL] CWE-424 yiisoft/yii2 Mishandles the Attaching of Behavior Defined by a `__class` Array Key yiisoft/yii2 Mishandles the Attaching of Behavior Defined by a `__class` Array Key Yii 2 before 2.0.52 mishandles the attaching of behavior that is defined by an __class array key, a CVE-2024-4990 regression, as exploited in the wild in February through April 2025.
ghsaosv
CVE-2020-15148P1CRITICALCVSS 10.0PoCfixed in 2.0.382020-09-15
CVE-2020-15148 [CRITICAL] CWE-502 CVE-2020-15148: Yii 2 (yiisoft/yii2) before version 2.0.38 is vulnerable to remote code execution if the application Yii 2 (yiisoft/yii2) before version 2.0.38 is vulnerable to remote code execution if the application calls `unserialize()` on arbitrary user input. This is fixed in version 2.0.38. A possible workaround without upgrading is available in the linked advisory.
ghsanvdosv
CVE-2024-4990P2HIGH≥ 0, < 2.0.49.42024-06-02
CVE-2024-4990 [HIGH] CWE-470 Unsafe Reflection in base Component class in yiisoft/yii2 Unsafe Reflection in base Component class in yiisoft/yii2 Yii2 supports attaching Behaviors to Components by setting properties having the format `'as '`. Internally this is done using the `__set()` magic method. If the value passed to this method is not an instance of the `Behavior` class, a new object is instantiated using `Yii::createObject($value)`. However, there is no validation check that verifies tha
ghsaosv
CVE-2025-2690P2CRITICALCVSS 9.8v2.0.0v2.0.1+38 more2025-03-24
CVE-2025-2690 [CRITICAL] CWE-20 CVE-2025-2690: A vulnerability, which was classified as critical, was found in yiisoft Yii2 up to 2.0.39. This affe A vulnerability, which was classified as critical, was found in yiisoft Yii2 up to 2.0.39. This affects the function Generate of the file phpunit\src\Framework\MockObject\MockClass.php. The manipulation leads to deserialization. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
nvd
CVE-2025-2689P3CRITICALCVSS 9.8v2.0.0v2.0.1+44 more2025-03-24
CVE-2025-2689 [CRITICAL] CWE-20 CVE-2025-2689: A vulnerability, which was classified as critical, has been found in yiisoft Yii2 up to 2.0.45. Affe A vulnerability, which was classified as critical, has been found in yiisoft Yii2 up to 2.0.45. Affected by this issue is the function getIterator of the file symfony\finder\Iterator\SortableIterator.php. The manipulation leads to deserialization. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
nvd
CVE-2023-26750P3CRITICAL≥ 0, < 2.0.472023-04-04
CVE-2023-26750 [CRITICAL] CWE-79 Withdrawn: SQL injection in Yii 2 Withdrawn: SQL injection in Yii 2 ## Withdrawn Advisory This advisory has been withdrawn because the issue originates from a product built on Yii2, not the Yii2 Framework itself. This link is maintained to preserve external references. ## Original Description SQL injection vulnerability found in Yii Framework Yii 2 Framework before v.2.0.47 allows the a remote attacker to execute arbitrary code via the runAction function.
ghsa
CVE-2026-39850P3HIGHCVSS 7.4fixed in 2.0.552026-05-20
CVE-2026-39850 [HIGH] CWE-20 CVE-2026-39850: Yii 2 is a PHP application framework. Versions 2.0.54 and prior contain flawed logic in the core vie Yii 2 is a PHP application framework. Versions 2.0.54 and prior contain flawed logic in the core view rendering method View::renderPhpFile() that leads to Local File Inclusion. The function calls extract($_params_, EXTR_OVERWRITE) before the require statement that loads the view file. As a result, a caller-controlled _file_ key in the $params array ove
ghsanvd
CVE-2015-5467P3CRITICAL≥ 2.0.0, < 2.0.52023-09-21
CVE-2015-5467 [CRITICAL] CWE-22 Yii2 allows attackers to execute any local .php file via a relative path in the view parameter Yii2 allows attackers to execute any local .php file via a relative path in the view parameter web\ViewAction in Yii (aka Yii2) 2.x before 2.0.5 allows attackers to execute any local .php file via a relative path in the view parameeter.
ghsaosv
CVE-2018-6010P3HIGH≥ 2.0.0, < 2.0.142022-05-13
CVE-2018-6010 [HIGH] CWE-79 Yii Framework reflected Cross-site Scripting Yii Framework reflected Cross-site Scripting In Yii Framework 2.x before 2.0.14, remote attackers could obtain potentially sensitive information from exception messages, or exploit reflected XSS on the error handler page in non-debug mode. Related to base/ErrorHandler.php, log/Dispatcher.php, and views/errorHandler/exception.php.
ghsaosv
CVE-2018-6009P3HIGH≥ 2.0, < 2.0.142022-05-14
CVE-2018-6009 [HIGH] CWE-352 Yii Framework Cross-Site Request Forgery (CSRF) Yii Framework Cross-Site Request Forgery (CSRF) In Yii Framework 2.x before 2.0.14, the switchIdentity function in web/User.php did not regenerate the CSRF token upon a change of identity.
ghsaosv
CVE-2018-20745P4MEDIUM≥ 0, < 2.0.162022-05-14
CVE-2018-20745 [MEDIUM] CWE-346 Yii Incorrectly Implements CORS Yii Incorrectly Implements CORS Yii 2.x through 2.0.15.1 actively converts a wildcard CORS policy into reflecting an arbitrary Origin header value, which is incompatible with the CORS security design, and could lead to CORS misconfiguration security problems.
ghsaosv
CVE-2017-7271P4MEDIUM≥ 0, < 2.0.112022-05-17
CVE-2017-7271 [MEDIUM] CWE-79 Yii Framework Reflected XSS Yii Framework Reflected XSS Reflected Cross-site scripting (XSS) vulnerability in Yii Framework before 2.0.11, when development mode is used, allows remote attackers to inject arbitrary web script or HTML via crafted request data that is mishandled on the debug-mode exception screen.
ghsaosv
CVE-2017-11516P4MEDIUM≥ 2.0.12, < 2.0.132022-05-17
CVE-2017-11516 [MEDIUM] CWE-79 Yii Cross-site Scripting Framework vulnerability Yii Cross-site Scripting Framework vulnerability An XSS vulnerability exists in framework/views/errorHandler/exception.php in Yii Framework 2.0.12 affecting the exception screen when debug mode is enabled, because $exception->errorInfo is mishandled.
ghsaosv
CVE-2024-32877P4MEDIUMCVSS 4.7v= 2.0.49.32024-05-30
CVE-2024-32877 [MEDIUM] CWE-79 CVE-2024-32877: Yii 2 is a PHP application framework. During internal penetration testing of a product based on Yii2 Yii 2 is a PHP application framework. During internal penetration testing of a product based on Yii2, users discovered a Cross-site Scripting (XSS) vulnerability within the framework itself. This issue is relevant for the latest version of Yii2 (2.0.49.3). This issue lies in the mechanism for displaying function argument values in the stack trace. Th
ghsanvdosv
CVE-2015-3397P4MEDIUM≥ 0, < 2.0.42022-05-17
CVE-2015-3397 [MEDIUM] CWE-79 Yii Framework Cross-site Scripting Vulnerability Yii Framework Cross-site Scripting Vulnerability Cross-site scripting (XSS) vulnerability in Yii Framework before 2.0.4 allows remote attackers to inject arbitrary web script or HTML via vectors related to JSON, arrays, and Internet Explorer 6 or 7.
ghsaosv
Yiisoft Yii2 vulnerabilities | cvebase