Yiiframework: >> Yii >> 2.0.34 Security Vulnerabilities
CVE-2024-58136
Yii 2 before 2.0.52 mishandles the attaching of behavior that is defined by an __class array key, a CVE-2024-4990 regression, as exploited in the wild in February through April 2025.
Known exploited
CVSS Score
9.0
EPSS Score
0.359
Published
2025-04-10
A vulnerability, which was classified as critical, was found in yiisoft Yii2 up to 2.0.39. This affects the function Generate of the file phpunit\src\Framework\MockObject\MockClass.php. The manipulation leads to deserialization. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
CVSS Score
6.3
EPSS Score
0.001
Published
2025-03-24
A vulnerability, which was classified as critical, has been found in yiisoft Yii2 up to 2.0.45. Affected by this issue is the function getIterator of the file symfony\finder\Iterator\SortableIterator.php. The manipulation leads to deserialization. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
CVSS Score
6.3
EPSS Score
0.001
Published
2025-03-24
SQL injection vulnerability found in Yii Framework Yii 2 Framework before v.2.0.47 allows the a remote attacker to execute arbitrary code via the runAction function. NOTE: the software maintainer's position is that the vulnerability is in third-party code, not in the framework.
CVSS Score
9.8
EPSS Score
0.077
Published
2023-04-04
yii2 is vulnerable to Use of Predictable Algorithm in Random Number Generator
CVSS Score
8.1
EPSS Score
0.005
Published
2021-08-10
yii2 is vulnerable to Use of Predictable Algorithm in Random Number Generator
CVSS Score
8.1
EPSS Score
0.005
Published
2021-08-10
Yii 2 (yiisoft/yii2) before version 2.0.38 is vulnerable to remote code execution if the application calls `unserialize()` on arbitrary user input. This is fixed in version 2.0.38. A possible workaround without upgrading is available in the linked advisory.
CVSS Score
8.9
EPSS Score
0.925
Published
2020-09-15