Yiiframework

Known Exploited Yiiframework Vulnerabilities

The following Yiiframework vulnerabilities have been marked by CISA as Known to be Exploited by threat actors.

The vulnerability CVE-2024-58136: Yiiframework Yii Improper Protection of Alternate Path Vulnerability is in the top 5% of the currently known exploitable vulnerabilities.

By the Year

In 2026 there have been 0 vulnerabilities in Yiiframework. Last year, in 2025 Yiiframework had 4 security vulnerabilities published. Right now, Yiiframework is on track to have less security vulnerabilities in 2026 than it did last year.

Recent Yiiframework Security Vulnerabilities

CVE	Date	Vulnerability	Products
CVE-2024-58136	Apr 10, 2025	Yii 2 <=2.0.51 __class behavior attach flaw CVE-2024-58136 Yii 2 before 2.0.52 mishandles the attaching of behavior that is defined by an __class array key, a CVE-2024-4990 regression, as exploited in the wild in February through April 2025.	Yii
CVE-2025-2690	Mar 24, 2025	Yii2 <2.0.39 Remote Deserialization via PHPUnit MockObject Generate A vulnerability, which was classified as critical, was found in yiisoft Yii2 up to 2.0.39. This affects the function Generate of the file phpunit\src\Framework\MockObject\MockClass.php. The manipulation leads to deserialization. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.	Yii
CVE-2025-2689	Mar 24, 2025	Yii2 <=2.0.45 Remote Deserialization via SortableIterator A vulnerability, which was classified as critical, has been found in yiisoft Yii2 up to 2.0.45. Affected by this issue is the function getIterator of the file symfony\finder\Iterator\SortableIterator.php. The manipulation leads to deserialization. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.	Yii
CVE-2024-4990	Mar 20, 2025	Yii2 2.0.48 Component::__set Allows Arbitrary Instantiation In yiisoft/yii2 version 2.0.48, the base Component class contains a vulnerability where the `__set()` magic method does not validate that the value passed is a valid Behavior class name or configuration. This allows an attacker to instantiate arbitrary classes, passing parameters to their constructors and invoking setter methods. Depending on the installed dependencies, various types of attacks are possible, including the execution of arbitrary code, retrieval of sensitive information, and unauthorized access.	Yii
CVE-2023-50708	Dec 22, 2023	yii2-authclient < 2.2.15: Timing Attack via Improper State/Nonce Compare yii2-authclient is an extension that adds OpenID, OAuth, OAuth2 and OpenId Connect consumers for the Yii framework 2.0. In yii2-authclient prior to version 2.2.15, the Oauth1/2 `state` and OpenID Connect `nonce` is vulnerable for a `timing attack` since it is compared via regular string comparison (instead of `Yii::$app->getSecurity()->compareString()`). Version 2.2.15 contains a patch for the issue. No known workarounds are available.	Yii2 Authclient
CVE-2023-50714	Dec 22, 2023	yii2-authclient PKCE downgrade & unused verifier vuln before 2.2.15 yii2-authclient is an extension that adds OpenID, OAuth, OAuth2 and OpenId Connect consumers for the Yii framework 2.0. In yii2-authclient prior to version 2.2.15, the Oauth2 PKCE implementation is vulnerable in 2 ways. First, the `authCodeVerifier` should be removed after usage (similar to `authState`). Second, there is a risk for a `downgrade attack` if PKCE is being relied on for CSRF protection. Version 2.2.15 contains a patch for the issue. No known workarounds are available.	Yii2 Authclient
CVE-2023-47130	Nov 14, 2023	Yii 1.1.28 RCE via unserialize before 1.1.29 Yii is an open source PHP web framework. yiisoft/yii before version 1.1.29 are vulnerable to Remote Code Execution (RCE) if the application calls `unserialize()` on arbitrary user input. An attacker may leverage this vulnerability to compromise the host system. A fix has been developed for the 1.1.29 release. Users are advised to upgrade. There are no known workarounds for this vulnerability.	Yii
CVE-2015-5467	Sep 21, 2023	Yii2 2.x Before 2.0.5 Remote Local File Inclusion via ViewAction web\ViewAction in Yii (aka Yii2) 2.x before 2.0.5 allows attackers to execute any local .php file via a relative path in the view parameeter.	Yii
CVE-2022-31454	Jul 28, 2023	Yii2 2.0.45 XSS via /books endpoint (disputed) Yii 2 v2.0.45 was discovered to contain a cross-site scripting (XSS) vulnerability via the endpoint /books. NOTE: this is disputed by the vendor because the cve-2022-31454-8e8555c31fd3 page does not describe why /books has a relationship to Yii 2.	Yii
CVE-2023-26750	Apr 04, 2023	Yii2 SQLi via runAction before 2.0.47 SQL injection vulnerability found in Yii Framework Yii 2 Framework before v.2.0.47 allows the a remote attacker to execute arbitrary code via the runAction function. NOTE: the software maintainer's position is that the vulnerability is in third-party code, not in the framework.	Yii