Vulnerabilities > Yiiframework > YII > Critical

DATE CVE VULNERABILITY TITLE RISK
2025-03-24 CVE-2025-2690 Deserialization of Untrusted Data vulnerability in Yiiframework YII
A vulnerability, which was classified as critical, was found in yiisoft Yii2 up to 2.0.39.
network
low complexity
yiiframework CWE-502
critical
9.8
2025-03-24 CVE-2025-2689 Deserialization of Untrusted Data vulnerability in Yiiframework YII
A vulnerability, which was classified as critical, has been found in yiisoft Yii2 up to 2.0.45.
network
low complexity
yiiframework CWE-502
critical
9.8
2025-03-20 CVE-2024-4990 Unspecified vulnerability in Yiiframework YII 2.0.48
In yiisoft/yii2 version 2.0.48, the base Component class contains a vulnerability where the `__set()` magic method does not validate that the value passed is a valid Behavior class name or configuration.
network
low complexity
yiiframework
critical
9.1
2023-11-14 CVE-2023-47130 Unspecified vulnerability in Yiiframework YII
Yii is an open source PHP web framework.
network
low complexity
yiiframework
critical
9.8
2023-09-21 CVE-2015-5467 Path Traversal vulnerability in Yiiframework YII
web\ViewAction in Yii (aka Yii2) 2.x before 2.0.5 allows attackers to execute any local .php file via a relative path in the view parameeter.
network
low complexity
yiiframework CWE-22
critical
9.8
2023-04-04 CVE-2023-26750 SQL Injection vulnerability in Yiiframework YII
SQL injection vulnerability found in Yii Framework Yii 2 Framework before v.2.0.47 allows the a remote attacker to execute arbitrary code via the runAction function.
network
low complexity
yiiframework CWE-89
critical
9.8
2022-11-23 CVE-2022-41922 Unspecified vulnerability in Yiiframework YII
`yiisoft/yii` before version 1.1.27 are vulnerable to Remote Code Execution (RCE) if the application calls `unserialize()` on arbitrary user input.
network
low complexity
yiiframework
critical
9.8
2020-09-15 CVE-2020-15148 Unspecified vulnerability in Yiiframework YII
Yii 2 (yiisoft/yii2) before version 2.0.38 is vulnerable to remote code execution if the application calls `unserialize()` on arbitrary user input.
network
low complexity
yiiframework
critical
10.0
2018-03-21 CVE-2018-7269 SQL Injection vulnerability in Yiiframework YII
The findByCondition function in framework/db/ActiveRecord.php in Yii 2.x before 2.0.15 allows remote attackers to conduct SQL injection attacks via a findOne() or findAll() call, unless a developer recognizes an undocumented need to sanitize array input.
network
low complexity
yiiframework CWE-89
critical
9.8
2018-03-21 CVE-2018-8073 Code Injection vulnerability in Yiiframework YII
Yii 2.x before 2.0.15 allows remote attackers to execute arbitrary LUA code via a variant of the CVE-2018-7269 attack in conjunction with the Redis extension.
network
low complexity
yiiframework CWE-94
critical
9.8