Yii2 PHP Framework < 2.0.52 - Remote Code Execution

Yii2 PHP Framework before 2.0.52 is vulnerable to remote code execution via improper validation of the class key in JSON behaviors. An attacker can instantiate arbitrary PHP classes and achieve RCE. id: CVE-2024-58136 info: name: Yii2 PHP Framework 2.0.52 - Remote Code Execution author:...

EUVD-2025-7898

Malicious code in bioql PyPI...

CVE-2025-2689

A vulnerability, which was classified as critical, has been found in yiisoft Yii2 up to 2.0.45. Affected by this issue is the function getIterator of the file symfony\finder\Iterator\SortableIterator.php. The manipulation leads to deserialization. The attack may be launched remotely. The exploit...

CVE-2025-2690

A vulnerability, which was classified as critical, was found in yiisoft Yii2 up to 2.0.39. This affects the function Generate of the file phpunit\src\Framework\MockObject\MockClass.php. The manipulation leads to deserialization. It is possible to initiate the attack remotely. The exploit has been...

CVE-2025-2689

The CVE-2025-2689 entry concerns yiisoft/yii2 (up to 2.0.45). The vulnerability affects the getIterator function in Symfony’s finder/Iterator/SortableIterator.php, where manipulation leads to deserialization. The issue is described as exploitable remotely and publicized (exploitation details and ...

CVE-2025-2689 yiisoft Yii2 SortableIterator.php getIterator deserialization

A vulnerability, which was classified as critical, has been found in yiisoft Yii2 up to 2.0.45. Affected by this issue is the function getIterator of the file symfony\finder\Iterator\SortableIterator.php. The manipulation leads to deserialization. The attack may be launched remotely. The exploit...

Arbitrary Code Execution

yiisoft/yii2 is vulnerable to Arbitrary Code Execution. The vulnerability is due to improper validation in the set magic function when attaching behaviors to components, allowing instantiation of arbitrary classes if attacker-controlled input is provided...

Unsafe Reflection in base Component class

Yii2 supports attaching Behaviors to Components by setting properties having the format 'as '. Internally this is done using the set magic method. If the value passed to this method is not an instance of the Behavior class, a new object is instantiated using Yii::createObject$value. However, ther...

Unsafe Reflection in base Component class in yiisoft/yii2

Yii2 supports attaching Behaviors to Components by setting properties having the format 'as '. Internally this is done using the set magic method. If the value passed to this method is not an instance of the Behavior class, a new object is instantiated using Yii::createObject$value. However, ther...

GHSA-CJCC-P67M-7QXM Unsafe Reflection in base Component class in yiisoft/yii2

Yii2 supports attaching Behaviors to Components by setting properties having the format 'as '. Internally this is done using the set magic method. If the value passed to this method is not an instance of the Behavior class, a new object is instantiated using Yii::createObject$value. However, ther...

Reflected Cross-site Scripting in yiisoft/yii2 Debug mode

During the internal penetration testing of our product based on Yii2, we discovered an XSS vulnerability within the framework itself. This issue is relevant for the latest version of Yii2 2.0.49.3. Conditions for vulnerability reproduction The framework is in debug mode YIIDEBUG set to true. The...

GHSA-QG5R-95M4-MJGJ Reflected Cross-site Scripting in yiisoft/yii2 Debug mode

During the internal penetration testing of our product based on Yii2, we discovered an XSS vulnerability within the framework itself. This issue is relevant for the latest version of Yii2 2.0.49.3. Conditions for vulnerability reproduction The framework is in debug mode YIIDEBUG set to true. The...

CVE-2024-32877 Reflected Cross-site Scripting in yiisoft/yii2 Debug mode

Yii 2 is a PHP application framework. During internal penetration testing of a product based on Yii2, users discovered a Cross-site Scripting XSS vulnerability within the framework itself. This issue is relevant for the latest version of Yii2 2.0.49.3. This issue lies in the mechanism for...

CVE-2024-32877 Reflected Cross-site Scripting in yiisoft/yii2 Debug mode

Yii 2 is a PHP application framework. During internal penetration testing of a product based on Yii2, users discovered a Cross-site Scripting XSS vulnerability within the framework itself. This issue is relevant for the latest version of Yii2 2.0.49.3. This issue lies in the mechanism for...

CVE-2023-50714

The vulnerability CVE-2023-50714 affects yii2-authclient (Yii framework 2.x) prior to version 2.2.15. The PKCE-protected OAuth2 implementation has two issues: (1) the authCodeVerifier should be removed after use (like authState), and (2) a downgrade attack risk if PKCE is relied upon for CSRF pro...

yii2-authclient vulnerable to possible timing attack on string comparison in OAuth1, OAuth2 and OpenID Connect implementation

Impact What kind of vulnerability is it? Who is impacted? Original Report: The Oauth1/2 "state" and OpenID Connect "nonce" is vulnerable for a "timing attack" since it's compared via regular string comparison instead of Yii::$app-getSecurity-compareString. Affected Code: 1. OAuth 1 "state"...

GHSA-7CFQ-72W2-24Q4 Yii2 allows attackers to execute any local .php file via a relative path in the view parameter

web\ViewAction in Yii aka Yii2 2.x before 2.0.5 allows attackers to execute any local .php file via a relative path in the view parameeter...

Yii2 allows attackers to execute any local .php file via a relative path in the view parameter

web\ViewAction in Yii aka Yii2 2.x before 2.0.5 allows attackers to execute any local .php file via a relative path in the view parameeter...

Design/Logic Flaw

web\ViewAction in Yii aka Yii2 2.x before 2.0.5 allows attackers to execute any local .php file via a relative path in the view parameeter...

CVE-2015-5467

web\ViewAction in Yii aka Yii2 2.x before 2.0.5 allows attackers to execute any local .php file via a relative path in the view parameeter...