CVE-2025-48493

< 2.0.20

The Yii 2 Redis extension provides the redis key-value store support for the Yii framework 2.0. On failing connection, the extensi

6.5MEDIUM

CVE-2025-32027

< 1.1.31

Yii is an open source PHP web framework. Prior to 1.1.31, yiisoft/yii is vulnerable to Reflected XSS in specific scenarios where t

6.1MEDIUM

CVE-2024-58136

< 2.0.52

Yii 2 before 2.0.52 mishandles the attaching of behavior that is defined by an __class array key, a CVE-2024-4990 regression, as e

9.0CRITICAL

CVE-2025-2690

>= 2.0.0 and <= 2.0.39

A vulnerability, which was classified as critical, was found in yiisoft Yii2 up to 2.0.39. This affects the function Generate of t

6.3MEDIUM

CVE-2025-2689

>= 2.0.0 and <= 2.0.45

A vulnerability, which was classified as critical, has been found in yiisoft Yii2 up to 2.0.45. Affected by this issue is the func

6.3MEDIUM

CVE-2024-4990

all versions

In yiisoft/yii2 version 2.0.48, the base Component class contains a vulnerability where the __set() magic method does not valida

9.1CRITICAL

CVE-2024-32877

all versions

Yii 2 is a PHP application framework. During internal penetration testing of a product based on Yii2, users discovered a Cross-sit

4.2MEDIUM

CVE-2023-50714

< 2.2.15

yii2-authclient is an extension that adds OpenID, OAuth, OAuth2 and OpenId Connect consumers for the Yii framework 2.0. In yii2-au

6.8MEDIUM

CVE-2023-50708

< 2.2.15

yii2-authclient is an extension that adds OpenID, OAuth, OAuth2 and OpenId Connect consumers for the Yii framework 2.0. In yii2-au

6.1MEDIUM

CVE-2023-47130

< 1.1.29

Yii is an open source PHP web framework. yiisoft/yii before version 1.1.29 are vulnerable to Remote Code Execution (RCE) if the ap

8.1HIGH

CVE-2015-5467

>= 2.0.0 and < 2.0.5

web\ViewAction in Yii (aka Yii2) 2.x before 2.0.5 allows attackers to execute any local .php file via a relative path in the view

9.8CRITICAL

CVE-2022-31454

all versions

Yii 2 v2.0.45 was discovered to contain a cross-site scripting (XSS) vulnerability via the endpoint /books. NOTE: this is disputed

6.1MEDIUM

CVE-2023-26750

>= 2.0.0 and <= 2.0.47

SQL injection vulnerability found in Yii Framework Yii 2 Framework before v.2.0.47 allows the a remote attacker to execute arbitra

9.8CRITICAL

CVE-2022-41922

< 1.1.27

yiisoft/yii before version 1.1.27 are vulnerable to Remote Code Execution (RCE) if the application calls unserialize() on arbi

8.1HIGH

CVE-2021-3692

>= 2.0.0 and < 2.0.43

yii2 is vulnerable to Use of Predictable Algorithm in Random Number Generator

5.3MEDIUM

CVE-2021-3689

>= 2.0.0 and < 2.0.43

yii2 is vulnerable to Use of Predictable Algorithm in Random Number Generator

7.5HIGH

CVE-2020-15148

< 2.0.38

Yii 2 (yiisoft/yii2) before version 2.0.38 is vulnerable to remote code execution if the application calls unserialize() on arbi

8.9HIGH

CVE-2018-20745

>= 2.0 and <= 2.0.15.1

Yii 2.x through 2.0.15.1 actively converts a wildcard CORS policy into reflecting an arbitrary Origin header value, which is incom

5.9MEDIUM

CVE-2018-8074

>= 2.0.0 and < 2.0.15

Yii 2.x before 2.0.15 allows remote attackers to inject unintended search conditions via a variant of the CVE-2018-7269 attack in

8.1HIGH

CVE-2018-8073

< 2.0.15

Yii 2.x before 2.0.15 allows remote attackers to execute arbitrary LUA code via a variant of the CVE-2018-7269 attack in conjuncti

9.8CRITICAL

CVE-2018-7269

>= 2.0.0 and < 2.0.15

The findByCondition function in framework/db/ActiveRecord.php in Yii 2.x before 2.0.15 allows remote attackers to conduct SQL inje

9.8CRITICAL

CVE-2017-11516

all versions

An XSS vulnerability exists in framework/views/errorHandler/exception.php in Yii Framework 2.0.12 affecting the exception screen w

6.1MEDIUM

CVE-2017-7271

<= 2.0.10

Reflected Cross-site scripting (XSS) vulnerability in Yii Framework before 2.0.11, when development mode is used, allows remote at

6.1MEDIUM