4 matches found
CVE-2026-39850 Yii 2: Local file inclusion via view parameter name collision
Yii 2 is a PHP application framework. Versions 2.0.54 and prior contain flawed logic in the core view rendering method View::renderPhpFile that leads to Local File Inclusion. The function calls extract$params, EXTROVERWRITE before the require statement that loads the view file. As a result, a...
CVE-2026-39850 Yii 2: Local file inclusion via view parameter name collision
Yii 2 is a PHP application framework. Versions 2.0.54 and prior contain flawed logic in the core view rendering method View::renderPhpFile that leads to Local File Inclusion. The function calls extract$params, EXTROVERWRITE before the require statement that loads the view file. As a result, a...
CVE-2026-39850
Summary: Yii 2.x before 2.0.55 contains a Local File Inclusion flaw in View::renderPhpFile() caused by caller-controlled file parameter, which can overwrite the internal file selection and potentially enable RCE and information disclosure. Affected versions: 2.0.54 and earlier. Root cause: extrac...
GHSA-5VPG-RJ7Q-QPW2 Yii 2: Local file inclusion via view parameter name collision
The core view rendering method View::renderPhpFile calls extract$params, EXTROVERWRITE before the require statement that includes the view file. A caller-controlled parameter named file in the $params array overwrites the internal local variable that specifies which file is included — enabling a...