yiisoft/yii2
Packagist12 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting yiisoft/yii2page 1 of 1
- CVE-2015-3397NONECVSS 0.0EG 0.0✓ Fixed in 2.0.42015-05-14
vulnerable: 2.0.0 ... 2.0.3 (7 versions)
Cross-site scripting (XSS) vulnerability in Yii Framework before 2.0.4 allows remote attackers to inject arbitrary web script or HTML via vectors related to JSON, arrays, and Internet Explorer 6 or 7.
- CVE-2015-5467CRITICALCVSS 9.8EG 9.8✓ Fixed in 2.0.52023-09-21
vulnerable: 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4
web\ViewAction in Yii (aka Yii2) 2.x before 2.0.5 allows attackers to execute any local .php file via a relative path in the view parameeter.
- CVE-2017-11516MEDIUMCVSS 6.1EG 6.1✓ Fixed in 2.0.132017-07-21
vulnerable: 2.0.12, 2.0.12.1, 2.0.12.2
An XSS vulnerability exists in framework/views/errorHandler/exception.php in Yii Framework 2.0.12 affecting the exception screen when debug mode is enabled, because $exception->errorInfo is mishandled.
- CVE-2017-7271MEDIUMCVSS 6.1EG 6.1✓ Fixed in 2.0.112017-03-27
vulnerable: 2.0.0 ... 2.0.9 (14 versions)
Reflected Cross-site scripting (XSS) vulnerability in Yii Framework before 2.0.11, when development mode is used, allows remote attackers to inject arbitrary web script or HTML via crafted request data that is mishandled on the debug-mode …
- CVE-2018-20745MEDIUMCVSS 5.9EG 5.9✓ Fixed in 2.0.162019-01-28
vulnerable: 2.0.0 ... 2.0.9 (29 versions)
Yii 2.x through 2.0.15.1 actively converts a wildcard CORS policy into reflecting an arbitrary Origin header value, which is incompatible with the CORS security design, and could lead to CORS misconfiguration security problems.
- CVE-2018-6009HIGHCVSS 8.8EG 8.8✓ Fixed in 2.0.142018-01-22
vulnerable: 2.0.0 ... 2.0.9 (24 versions)
In Yii Framework 2.x before 2.0.14, the switchIdentity function in web/User.php did not regenerate the CSRF token upon a change of identity.
- CVE-2018-6010HIGHCVSS 7.5EG 7.5✓ Fixed in 2.0.142018-01-22
vulnerable: 2.0.0 ... 2.0.9 (21 versions)
In Yii Framework 2.x before 2.0.14, remote attackers could obtain potentially sensitive information from exception messages, or exploit reflected XSS on the error handler page in non-debug mode. Related to base/ErrorHandler.php, log/Dispat…
- CVE-2020-15148HIGHCVSS 8.9EG 8.9✓ Fixed in 2.0.382020-09-15
vulnerable: 2.0.0 ... 2.0.9 (52 versions)
Yii 2 (yiisoft/yii2) before version 2.0.38 is vulnerable to remote code execution if the application calls `unserialize()` on arbitrary user input. This is fixed in version 2.0.38. A possible workaround without upgrading is available in th…
- CVE-2024-32877MEDIUMCVSS 4.2EG 4.2✓ Fixed in 2.0.49.42024-05-30
vulnerable: 2.0.43 ... 2.0.49.3 (11 versions)
Yii 2 is a PHP application framework. During internal penetration testing of a product based on Yii2, users discovered a Cross-site Scripting (XSS) vulnerability within the framework itself. This issue is relevant for the latest version of…
- CVE-2024-4990CRITICALCVSS 9.1EG 9.1✓ Fixed in 2.0.49.42025-03-20
vulnerable: 2.0.0 ... 2.0.9 (73 versions)
In yiisoft/yii2 version 2.0.48, the base Component class contains a vulnerability where the `__set()` magic method does not validate that the value passed is a valid Behavior class name or configuration. This allows an attacker to instanti…
- CVE-2024-58136CRITICALCVSS 9.0EG 9.0⚠ KEV✓ Fixed in 2.0.522025-04-10
vulnerable: 2.0.0 ... 2.0.9 (76 versions)
Yii 2 before 2.0.52 mishandles the attaching of behavior that is defined by an __class array key, a CVE-2024-4990 regression, as exploited in the wild in February through April 2025.
- CVE-2026-39850HIGHCVSS 7.4EG 7.4✓ Fixed in 2.0.552026-05-20
vulnerable: 2.0.0 ... 2.0.9 (79 versions)
Yii 2 is a PHP application framework. Versions 2.0.54 and prior contain flawed logic in the core view rendering method View::renderPhpFile() that leads to Local File Inclusion. The function calls extract($_params_, EXTR_OVERWRITE) before t…
Check whether yiisoft/yii2 is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for yiisoft/yii2 CVEs against the assets you own.
Start Free Scan →