164 matches found
CVE-2026-39850
Yii 2 is a PHP application framework. Versions 2.0.54 and prior contain flawed logic in the core view rendering method View::renderPhpFile that leads to Local File Inclusion. The function calls extract$params, EXTROVERWRITE before the require statement that loads the view file. As a result, a...
CVE-2026-39850 Yii 2: Local file inclusion via view parameter name collision
Yii 2 is a PHP application framework. Versions 2.0.54 and prior contain flawed logic in the core view rendering method View::renderPhpFile that leads to Local File Inclusion. The function calls extract$params, EXTROVERWRITE before the require statement that loads the view file. As a result, a...
EUVD-2026-31190
Yii 2 is a PHP application framework. Versions 2.0.54 and prior contain flawed logic in the core view rendering method View::renderPhpFile that leads to Local File Inclusion. The function calls extract$params, EXTROVERWRITE before the require statement that loads the view file. As a result, a...
CVE-2026-39850 Yii 2: Local file inclusion via view parameter name collision
Yii 2 is a PHP application framework. Versions 2.0.54 and prior contain flawed logic in the core view rendering method View::renderPhpFile that leads to Local File Inclusion. The function calls extract$params, EXTROVERWRITE before the require statement that loads the view file. As a result, a...
CVE-2026-39850
Yii 2 is a PHP application framework. Versions 2.0.54 and prior contain flawed logic in the core view rendering method View::renderPhpFile that leads to Local File Inclusion. The function calls extract$params, EXTROVERWRITE before the require statement that loads the view file. As a result, a...
CVE-2026-39850
Summary: Yii 2.x before 2.0.55 contains a Local File Inclusion flaw in View::renderPhpFile() caused by caller-controlled file parameter, which can overwrite the internal file selection and potentially enable RCE and information disclosure. Affected versions: 2.0.54 and earlier. Root cause: extrac...
Yii 输入验证错误漏洞
Yii is a high-performance PHP framework developed by the YII team. It is designed for developing large-scale web applications using components. Yii 2 versions 2.0.54 and earlier contained a vulnerability related to input validation errors. This vulnerability stemmed from a logical flaw in the cor...
PHP Remote File Inclusion
Overview yiisoft/yii2 is a Yii PHP Framework. Affected versions of this package are vulnerable to PHP Remote File Inclusion via the View::renderPhpFile process. An attacker can access arbitrary files or potentially execute code by supplying a specially crafted file parameter in the $params array,...
Yii 2: Local file inclusion via view parameter name collision
The core view rendering method View::renderPhpFile calls extract$params, EXTROVERWRITE before the require statement that includes the view file. A caller-controlled parameter named file in the $params array overwrites the internal local variable that specifies which file is included — enabling a...
GHSA-5VPG-RJ7Q-QPW2 Yii 2: Local file inclusion via view parameter name collision
The core view rendering method View::renderPhpFile calls extract$params, EXTROVERWRITE before the require statement that includes the view file. A caller-controlled parameter named file in the $params array overwrites the internal local variable that specifies which file is included — enabling a...
PT-2026-39402
Name of the Vulnerable Software and Affected Versions Yii Framework versions prior to 2.0.55 Description Internal variables in the View::renderPhpFile and ErrorHandler::renderFile functions are not isolated, which can lead to parameter collisions that allow the overriding of included file paths...
Yii2 MCP Server 命令注入漏洞
Yii2 MCP Server is a database and project management tool developed by Arthur Minasyan for the Yii2 framework. Version 1.0.2 of Yii2 MCP Server contains a command injection vulnerability. This vulnerability stems from improper handling of the yiicommandhelp/yiiexecutecommand function in the MCP...
Remote Code Execution (RCE)
craftcms/cms is vulnerable to Remote Code Execution RCE. The vulnerability is due to improper sanitization of user-supplied configuration data in the assembleLayoutFromPost function before passing it to Craft::createObject, which allows an authenticated administrator to inject malicious Yii2...
Yii Framework 2.0.9 Reflected Cross Site Scripting
A reflected cross site scripting vulnerability exists in Yii Framework version 2.0.9 and earlier versions before 2.0.14. The vulnerability exists in the error handler component. This issue is older research added to the archive...
CVE-2022-37783
All Craft CMS versions between 3.0.0 and 3.7.32 disclose password hashes of users who authenticate using their E-Mail address or username in Anti-CSRF-Tokens. Craft CMS uses a cookie called CRAFTCSRFTOKEN and a HTML hidden field called CRAFTCSRFTOKEN to avoid Cross Site Request Forgery attacks. T...
Craft CMS vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior
Note that attackers must have administrator access to the Craft Control Panel for this to work. Users should update to the patched versions 5.8.21 and 4.16.17 to mitigate the issue. Resources: https://github.com/craftcms/cms/commit/6e608a1a5bfb36943f94f584b7548ca542a86fef...
BIT-LIMESURVEY-2025-41076 Multiple vulnerabilities in Limesurvey
In version 6.13.0 of LimeSurvey, any external user can cause a 500 error in the survey system by sending a malformed session cookie. Instead of displaying a generic error message, the system exposes internal backend information, including the use of the Yii framework, the MySQL/MariaDB database...
CVE-2025-41076
In version 6.13.0 of LimeSurvey, any external user can cause a 500 error in the survey system by sending a malformed session cookie. Instead of displaying a generic error message, the system exposes internal backend information, including the use of the Yii framework, the MySQL/MariaDB database...
CVE-2025-41076
In version 6.13.0 of LimeSurvey, any external user can cause a 500 error in the survey system by sending a malformed session cookie. Instead of displaying a generic error message, the system exposes internal backend information, including the use of the Yii framework, the MySQL/MariaDB database...
CVE-2025-41076
In version 6.13.0 of LimeSurvey, any external user can cause a 500 error in the survey system by sending a malformed session cookie. Instead of displaying a generic error message, the system exposes internal backend information, including the use of the Yii framework, the MySQL/MariaDB database...