汇总 yiiframework 相关全部产品的 CVE 与安全漏洞情报,包括 CVSS、EPSS、公开时间与漏洞情报数据。
已披露问题常与 输入验证问题、CSRF与SSRF 相关,可能在 软件部署与生产负载 场景中带来 异常行为与数据泄露 等暴露风险。
相关漏洞数据主要来源于公开漏洞披露与安全公告,可用于评估历史漏洞暴露面与修复优先级。
| CVE | 摘要 | 来源 | 最高 CVSS | EPSS % | 公开时间 | 更新时间 |
|---|---|---|---|---|---|---|
| CVE-2025-48493 | The Yii 2 Redis extension provides the redis key-value store support for the Yii framework 2.0. On failing connection, the extension writes commands sequence to logs. Prior to version 2.0.20, AUTH parameters are written in plain text exposing username and password. That might be an issue if attacker has access to logs. Version 2.0.20 fixes the issue. | [email protected] | 5.1 | 0.26% | 2025-06-05 | 2026-06-17 |
| CVE-2025-32027 | Yii is an open source PHP web framework. Prior to 1.1.31, yiisoft/yii is vulnerable to Reflected XSS in specific scenarios where the fallback error renderer is used. Upgrade yiisoft/yii to version 1.1.31 or higher. | [email protected] | 6.1 | 0.20% | 2025-04-10 | 2026-06-17 |
| CVE-2024-58136 KEV | Yii 2 before 2.0.52 mishandles the attaching of behavior that is defined by an __class array key, a CVE-2024-4990 regression, as exploited in the wild in February through April 2025. | [email protected] | 9.0 | 87.71% | 2025-04-09 | 2026-06-17 |
| CVE-2025-2690 | A vulnerability, which was classified as critical, was found in yiisoft Yii2 up to 2.0.39. This affects the function Generate of the file phpunit\src\Framework\MockObject\MockClass.php. The manipulation leads to deserialization. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | [email protected] | 5.3 | 0.56% | 2025-03-24 | 2026-06-17 |
| CVE-2025-2689 | A vulnerability, which was classified as critical, has been found in yiisoft Yii2 up to 2.0.45. Affected by this issue is the function getIterator of the file symfony\finder\Iterator\SortableIterator.php. The manipulation leads to deserialization. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | [email protected] | 5.3 | 0.52% | 2025-03-24 | 2026-06-17 |
| CVE-2024-4990 | In yiisoft/yii2 version 2.0.48, the base Component class contains a vulnerability where the `__set()` magic method does not validate that the value passed is a valid Behavior class name or configuration. This allows an attacker to instantiate arbitrary classes, passing parameters to their constructors and invoking setter methods. Depending on the installed dependencies, various types of attacks are possible, including the execution of arbitrary code, retrieval of sensitive information, and unaut | [email protected] | 9.1 | 79.53% | 2025-03-20 | 2026-06-17 |
| CVE-2024-32877 | Yii 2 is a PHP application framework. During internal penetration testing of a product based on Yii2, users discovered a Cross-site Scripting (XSS) vulnerability within the framework itself. This issue is relevant for the latest version of Yii2 (2.0.49.3). This issue lies in the mechanism for displaying function argument values in the stack trace. The vulnerability manifests when an argument's value exceeds 32 characters. For convenience, argument values exceeding this limit are truncated and di | [email protected] | 4.2 | 0.35% | 2024-05-30 | 2026-06-17 |
| CVE-2023-50714 | yii2-authclient is an extension that adds OpenID, OAuth, OAuth2 and OpenId Connect consumers for the Yii framework 2.0. In yii2-authclient prior to version 2.2.15, the Oauth2 PKCE implementation is vulnerable in 2 ways. First, the `authCodeVerifier` should be removed after usage (similar to `authState`). Second, there is a risk for a `downgrade attack` if PKCE is being relied on for CSRF protection. Version 2.2.15 contains a patch for the issue. No known workarounds are available. | [email protected] | 6.8 | 0.49% | 2023-12-22 | 2026-06-17 |
| CVE-2023-50708 | yii2-authclient is an extension that adds OpenID, OAuth, OAuth2 and OpenId Connect consumers for the Yii framework 2.0. In yii2-authclient prior to version 2.2.15, the Oauth1/2 `state` and OpenID Connect `nonce` is vulnerable for a `timing attack` since it is compared via regular string comparison (instead of `Yii::$app->getSecurity()->compareString()`). Version 2.2.15 contains a patch for the issue. No known workarounds are available. | [email protected] | 6.1 | 0.72% | 2023-12-22 | 2026-06-17 |
| CVE-2023-47130 | Yii is an open source PHP web framework. yiisoft/yii before version 1.1.29 are vulnerable to Remote Code Execution (RCE) if the application calls `unserialize()` on arbitrary user input. An attacker may leverage this vulnerability to compromise the host system. A fix has been developed for the 1.1.29 release. Users are advised to upgrade. There are no known workarounds for this vulnerability. | [email protected] | 8.1 | 3.15% | 2023-11-14 | 2026-06-17 |
| CVE-2015-5467 | web\ViewAction in Yii (aka Yii2) 2.x before 2.0.5 allows attackers to execute any local .php file via a relative path in the view parameeter. | [email protected] | 9.8 | 0.74% | 2023-09-21 | 2026-06-16 |
| CVE-2022-31454 | Yii 2 v2.0.45 was discovered to contain a cross-site scripting (XSS) vulnerability via the endpoint /books. NOTE: this is disputed by the vendor because the cve-2022-31454-8e8555c31fd3 page does not describe why /books has a relationship to Yii 2. | [email protected] | 6.1 | 0.40% | 2023-07-27 | 2026-06-17 |
| CVE-2023-26750 | SQL injection vulnerability found in Yii Framework Yii 2 Framework before v.2.0.47 allows the a remote attacker to execute arbitrary code via the runAction function. NOTE: the software maintainer's position is that the vulnerability is in third-party code, not in the framework. | [email protected] | 9.8 | 1.82% | 2023-04-04 | 2026-06-17 |
| CVE-2020-36655 | Yii Yii2 Gii before 2.2.2 allows remote attackers to execute arbitrary code via the Generator.php messageCategory field. The attacker can embed arbitrary PHP code into the model file. | [email protected] | 8.8 | 1.46% | 2023-01-20 | 2026-06-16 |
| CVE-2022-34297 | Yii Yii2 Gii through 2.2.4 allows stored XSS by injecting a payload into any field. | [email protected] | 5.4 | 0.61% | 2022-12-09 | 2026-06-17 |
| CVE-2022-41922 | `yiisoft/yii` before version 1.1.27 are vulnerable to Remote Code Execution (RCE) if the application calls `unserialize()` on arbitrary user input. This has been patched in 1.1.27. | [email protected] | 8.1 | 1.13% | 2022-11-23 | 2026-06-17 |
| CVE-2021-3692 | yii2 is vulnerable to Use of Predictable Algorithm in Random Number Generator | [email protected] | 5.3 | 1.70% | 2021-08-10 | 2026-06-17 |
| CVE-2021-3689 | yii2 is vulnerable to Use of Predictable Algorithm in Random Number Generator | [email protected] | 7.5 | 1.90% | 2021-08-10 | 2026-06-17 |
| CVE-2020-15148 | Yii 2 (yiisoft/yii2) before version 2.0.38 is vulnerable to remote code execution if the application calls `unserialize()` on arbitrary user input. This is fixed in version 2.0.38. A possible workaround without upgrading is available in the linked advisory. | [email protected] | 8.9 | 79.23% | 2020-09-15 | 2026-06-16 |
| CVE-2018-20745 | Yii 2.x through 2.0.15.1 actively converts a wildcard CORS policy into reflecting an arbitrary Origin header value, which is incompatible with the CORS security design, and could lead to CORS misconfiguration security problems. | [email protected] | 5.9 | 0.54% | 2019-01-28 | 2026-06-16 |