yiisoft/yii2 is vulnerable to Arbitrary Code Execution. The vulnerability is due to improper validation in the __set()
magic function when attaching behaviors to components, allowing instantiation of arbitrary classes if attacker-controlled input is provided.