EUVD-2025-7345

Malicious code in bioql PyPI...

EUVD-2024-2024

Malicious code in bioql PyPI...

Cross-Site Scripting

yiisoft/yii is vulnerable to Reflected Cross-Site Scripting XSS. The vulnerability is due to in specific scenarios where the fallback error renderer is used, allowing an attacker to execute arbitrary scripts in the context of the user’s browser...

Yii does not prevent XSS in scenarios where fallback error renderer is used

Impact Affected versions of yiisoft/yii are vulnerable to Reflected XSS in specific scenarios where the fallback error renderer is used. Patches Upgrade yiisoft/yii to version 1.1.31 or higher. References - Git commit If you have any questions or comments about this advisory, contact us through...

CVE-2025-32027

Yii is an open source PHP web framework. Prior to 1.1.31, yiisoft/yii is vulnerable to Reflected XSS in specific scenarios where the fallback error renderer is used. Upgrade yiisoft/yii to version 1.1.31 or higher...

PT-2025-15994 · Yii · Yiisoft/Yii

Name of the Vulnerable Software and Affected Versions: yiisoft/yii versions prior to 1.1.31 Description: The issue concerns a Reflected XSS vulnerability in specific scenarios where the fallback error renderer is used. Recommendations: For versions prior to 1.1.31, upgrade yiisoft/yii to version...

Deserialization Of Untrusted Data

yiisoft/yii2-dev is vulnerable to Deserialization of Untrusted Data. The vulnerability is due to improper handling in the getIterator function of symfony\finder\Iterator\SortableIterator.php, which allows an attacker to execute arbitrary code remotely...

yiisoft Yii2 Deserialization of Untrusted Data

A vulnerability, which was classified as critical, has been found in yiisoft Yii2 up to 2.0.45. Affected by this issue is the function getIterator of the file symfony\finder\Iterator\SortableIterator.php. The manipulation leads to deserialization. The attack may be launched remotely. The exploit...

Deserialization of Untrusted Data

Overview yiisoft/yii2 is a Yii PHP Framework. Affected versions of this package are vulnerable to Deserialization of Untrusted Data in the Generate function. Details Serialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be...

CVE-2025-2690 yiisoft Yii2 MockClass.php generate deserialization

A vulnerability, which was classified as critical, was found in yiisoft Yii2 up to 2.0.39. This affects the function Generate of the file phpunit\src\Framework\MockObject\MockClass.php. The manipulation leads to deserialization. It is possible to initiate the attack remotely. The exploit has been...

CVE-2025-2690 yiisoft Yii2 MockClass.php generate deserialization

A vulnerability, which was classified as critical, was found in yiisoft Yii2 up to 2.0.39. This affects the function Generate of the file phpunit\src\Framework\MockObject\MockClass.php. The manipulation leads to deserialization. It is possible to initiate the attack remotely. The exploit has been...

CVE-2025-2689 yiisoft Yii2 SortableIterator.php getIterator deserialization

A vulnerability, which was classified as critical, has been found in yiisoft Yii2 up to 2.0.45. Affected by this issue is the function getIterator of the file symfony\finder\Iterator\SortableIterator.php. The manipulation leads to deserialization. The attack may be launched remotely. The exploit...

CVE-2024-4990 Unsafe Reflection in base Component class in yiisoft/yii2

In yiisoft/yii2 version 2.0.48, the base Component class contains a vulnerability where the set magic method does not validate that the value passed is a valid Behavior class name or configuration. This allows an attacker to instantiate arbitrary classes, passing parameters to their constructors...

CVE-2024-4990 Unsafe Reflection in base Component class in yiisoft/yii2

In yiisoft/yii2 version 2.0.48, the base Component class contains a vulnerability where the set magic method does not validate that the value passed is a valid Behavior class name or configuration. This allows an attacker to instantiate arbitrary classes, passing parameters to their constructors...

CVE-2022-41922

yiisoft/yii before version 1.1.27 are vulnerable to Remote Code Execution RCE if the application calls unserialize on arbitrary user input. This has been patched in 1.1.27...

Cross-Site Scripting (XSS)

yiisoft/yii2 is vulnerable to Cross-site Scripting XSS. The vulnerability is caused by improper handling of quote conversion in the htmlspecialchars function, allowing an attacker to inject malicious attributes though argument values in exception stack traces...

CVE-2024-32877 Reflected Cross-site Scripting in yiisoft/yii2 Debug mode

Yii 2 is a PHP application framework. During internal penetration testing of a product based on Yii2, users discovered a Cross-site Scripting XSS vulnerability within the framework itself. This issue is relevant for the latest version of Yii2 2.0.49.3. This issue lies in the mechanism for...

yiisoft/yii deserializing untrusted user input can lead to remote code execution

Impact Affected versions of yiisoft/yii are vulnerable to Remote Code Execution RCE if the application calls unserialize on arbitrary user input. Patches Upgrade yiisoft/yii to version 1.1.29 or higher. For more information See the following links for more details: - Git commit -...

CVE-2023-47130 Unsafe deserialization of user data in yiisoft/yii

Yii is an open source PHP web framework. yiisoft/yii before version 1.1.29 are vulnerable to Remote Code Execution RCE if the application calls unserialize on arbitrary user input. An attacker may leverage this vulnerability to compromise the host system. A fix has been developed for the 1.1.29...

Remote Code Execution

yiisoft/yii is vulnerable to remote code execution. The vulnerability exists in the wakeup function of CDbCriteria.php, due to improper deserialization of untrusted user input, which allows the attacker to control the state or the flow of execution...