Yii Security Vulnerabilities and Issues — Yii CVE List

Lucene search

YiiframeworkYii

10 matches found

CVE•added 2025/03/20 10:15 a.m.•4282 views

CVE-2024-4990

In yiisoft/yii2 version 2.0.48, the base Component class contains a vulnerability where the __set() magic method does not validate that the value passed is a valid Behavior class name or configuration. This allows an attacker to instantiate arbitrary classes, passing parameters to their constructor...

9.1CVSS8.1AI score0.00097EPSS

CVE•added 2025/04/10 3:15 a.m.•200 views

CVE-2024-58136

Yii 2 before 2.0.52 mishandles the attaching of behavior that is defined by an __class array key, a CVE-2024-4990 regression, as exploited in the wild in February through April 2025.

9.8CVSS9AI score0.69522EPSS

CVE•added 2023/04/04 3:15 p.m.•148 views

CVE-2023-26750

SQL injection vulnerability found in Yii Framework Yii 2 Framework before v.2.0.47 allows the a remote attacker to execute arbitrary code via the runAction function. NOTE: the software maintainer's position is that the vulnerability is in third-party code, not in the framework.

9.8CVSS9.8AI score0.07667EPSS

CVE•added 2023/11/14 9:15 p.m.•101 views

CVE-2023-47130

Yii is an open source PHP web framework. yiisoft/yii before version 1.1.29 are vulnerable to Remote Code Execution (RCE) if the application calls unserialize() on arbitrary user input. An attacker may leverage this vulnerability to compromise the host system. A fix has been developed for the 1.1.29...

9.8CVSS9.2AI score0.03255EPSS

CVE•added 2022/11/23 6:15 p.m.•77 views

CVE-2022-41922

yiisoft/yii before version 1.1.27 are vulnerable to Remote Code Execution (RCE) if the application calls unserialize() on arbitrary user input. This has been patched in 1.1.27.

9.8CVSS9.2AI score0.02305EPSS

CVE•added 2023/09/21 6:15 a.m.•61 views

CVE-2015-5467

web\ViewAction in Yii (aka Yii2) 2.x before 2.0.5 allows attackers to execute any local .php file via a relative path in the view parameeter.

9.8CVSS9.1AI score0.00137EPSS

CVE•added 2018/03/21 6:29 p.m.•60 views

CVE-2018-7269

The findByCondition function in framework/db/ActiveRecord.php in Yii 2.x before 2.0.15 allows remote attackers to conduct SQL injection attacks via a findOne() or findAll() call, unless a developer recognizes an undocumented need to sanitize array input.

9.8CVSS8.9AI score0.00643EPSS

CVE•added 2025/03/24 7:15 a.m.•57 views

CVE-2025-2689

A vulnerability, which was classified as critical, has been found in yiisoft Yii2 up to 2.0.45. Affected by this issue is the function getIterator of the file symfony\finder\Iterator\SortableIterator.php. The manipulation leads to deserialization. The attack may be launched remotely. The exploit ha...

9.8CVSS6.9AI score0.00096EPSS

CVE•added 2025/03/24 8:15 a.m.•50 views

CVE-2025-2690

A vulnerability, which was classified as critical, was found in yiisoft Yii2 up to 2.0.39. This affects the function Generate of the file phpunit\src\Framework\MockObject\MockClass.php. The manipulation leads to deserialization. It is possible to initiate the attack remotely. The exploit has been d...

9.8CVSS7.1AI score0.0007EPSS

CVE•added 2018/03/21 6:29 p.m.•34 views

CVE-2018-8073

Yii 2.x before 2.0.15 allows remote attackers to execute arbitrary LUA code via a variant of the CVE-2018-7269 attack in conjunction with the Redis extension.

9.8CVSS8.9AI score0.0096EPSS