Every CVE whose affected-product data names Yiiframework Yii, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (19)
CVE-2018-7269 — CVSS 9.8 (critical): The findByCondition function in framework/db/ActiveRecord.php in Yii 2.x before 2.0.15 allows remote attackers to conduct SQL injection…
CVE-2015-5467 — CVSS 9.8 (critical): web\ViewAction in Yii (aka Yii2) 2.x before 2.0.5 allows attackers to execute any local .php file via a relative path in the view…
CVE-2023-26750 — CVSS 9.8 (critical): SQL injection vulnerability found in Yii Framework Yii 2 Framework before v.2.0.47 allows the a remote attacker to execute arbitrary code…
CVE-2018-8073 — CVSS 9.8 (critical): Yii 2.x before 2.0.15 allows remote attackers to execute arbitrary LUA code via a variant of the CVE-2018-7269 attack in conjunction with…
CVE-2024-4990 — CVSS 9.1 (critical): In yiisoft/yii2 version 2.0.48, the base Component class contains a vulnerability where the `__set()` magic method does not validate that…
CVE-2020-15148 — CVSS 8.9 (high): Yii 2 (yiisoft/yii2) before version 2.0.38 is vulnerable to remote code execution if the application calls `unserialize()` on arbitrary…
CVE-2023-47130 — CVSS 8.1 (high): Yii is an open source PHP web framework. yiisoft/yii before version 1.1.29 are vulnerable to Remote Code Execution (RCE) if the application…
CVE-2018-8074 — CVSS 8.1 (high): Yii 2.x before 2.0.15 allows remote attackers to inject unintended search conditions via a variant of the CVE-2018-7269 attack in…
CVE-2022-41922 — CVSS 8.1 (high): `yiisoft/yii` before version 1.1.27 are vulnerable to Remote Code Execution (RCE) if the application calls `unserialize()` on arbitrary…
CVE-2025-2689 — CVSS 6.3 (medium): A vulnerability, which was classified as critical, has been found in yiisoft Yii2 up to 2.0.45. Affected by this issue is the function…
CVE-2025-2690 — CVSS 6.3 (medium): A vulnerability, which was classified as critical, was found in yiisoft Yii2 up to 2.0.39. This affects the function Generate of the file…
CVE-2025-32027 — CVSS 6.1 (medium): Yii is an open source PHP web framework. Prior to 1.1.31, yiisoft/yii is vulnerable to Reflected XSS in specific scenarios where the…
CVE-2017-11516 — CVSS 6.1 (medium): An XSS vulnerability exists in framework/views/errorHandler/exception.php in Yii Framework 2.0.12 affecting the exception screen when debug…
CVE-2022-31454 — CVSS 6.1 (medium): Yii 2 v2.0.45 was discovered to contain a cross-site scripting (XSS) vulnerability via the endpoint /books. NOTE: this is disputed by the…
CVE-2018-20745 — CVSS 5.9 (medium): Yii 2.x through 2.0.15.1 actively converts a wildcard CORS policy into reflecting an arbitrary Origin header value, which is incompatible…
CVE-2024-32877 — CVSS 4.2 (medium): Yii 2 is a PHP application framework. During internal penetration testing of a product based on Yii2, users discovered a Cross-site…