CVE-2026-39850 - Vulnerability Details

- Yii 2: Local file inclusion via view parameter name collision

Description

Yii 2 is a PHP application framework. Versions 2.0.54 and prior contain flawed logic in the core view rendering method View::renderPhpFile() that leads to Local File Inclusion. The function calls extract($_params_, EXTR_OVERWRITE) before the require statement that loads the view file. As a result, a caller-controlled _file_ key in the $params array overwrites the internal local variable specifying which file to include, potentially enabling RCE if an attacker can write PHP files through a separate primitive, as well as information disclosure. This issue has been fixed in version 2.0.55.

Published: 2026-05-20

Score: 7.4 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Yii 2, a PHP application framework, contains a flaw in View::renderPhpFile() where user‑controlled parameters are extracted with EXTR_OVERWRITE before the view file is required. A caller can supply a _file key within the $params array to overwrite the internal variable that designates which file to include. If an attacker can also place a PHP file that the application will read, this flaw can lead to Remote Code Execution; otherwise it can reveal sensitive files. The vulnerability is rated CWE‑20 and CWE‑98 and was fixed in Yii 2 version 2.0.55.

Affected Systems

The Yii 2 framework from yiisoft is affected. Versions 2.0.54 and earlier are vulnerable. Version 2.0.55 and later contain the fix.

Risk and Exploitability

The CVSS score is 7.4, indicating a high severity. EPSS data is not available and the issue is not listed in the CISA KEV catalog, suggesting exploitation is not yet widely observed. The likely attack vector is via a web request that can manipulate the $params array; if an attacker can write a PHP file into the application’s view directory, the flaw could be leveraged for RCE. Proper input validation or restricting the _file parameter can mitigate the risk until a patch is applied.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

yiisoft

yii2

affected

Version	Status	Constraints
`< 2.0.55`	affected	—

No data.

Vendor Product Confidence Versions

Yiisoft

Yii2

100%

Version	Status	Scheme	Platform
`[0,2.0.55)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Yii 2 to version 2.0.55 or later.
Apply the upstream patch (commit 109878b491dbffa541032bc99fb5e26d12cd0375) if upgrading immediately is not possible.
Ensure that the application does not allow a _file parameter to be passed in $params, e.g., validate input and remove the key before calling renderPhpFile().

Generated by OpenCVE AI on May 20, 2026 at 21:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-5vpg-rj7q-qpw2	Yii 2: Local file inclusion via view parameter name collision

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00046.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://github.com/yiisoft/yii2/commit/109878b491dbffa541032bc99fb5e26d12cd0375
https://github.com/yiisoft/yii2/security/advisories/GHSA-5vpg-rj7q-qpw2

History

Thu, 21 May 2026 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Thu, 21 May 2026 08:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Yiisoft Yiisoft yii2
Vendors & Products		Yiisoft Yiisoft yii2

Wed, 20 May 2026 20:15:00 +0000

Type	Values Removed	Values Added
Description		Yii 2 is a PHP application framework. Versions 2.0.54 and prior contain flawed logic in the core view rendering method View::renderPhpFile() that leads to Local File Inclusion. The function calls extract($_params_, EXTR_OVERWRITE) before the require statement that loads the view file. As a result, a caller-controlled _file_ key in the $params array overwrites the internal local variable specifying which file to include, potentially enabling RCE if an attacker can write PHP files through a separate primitive, as well as information disclosure. This issue has been fixed in version 2.0.55.
Title		Yii 2: Local file inclusion via view parameter name collision
Weaknesses		CWE-20 CWE-98
References		https://github.com/yiisoft/yii2/commit/109878b491dbffa541032bc99fb5e26d12cd0375 https://github.com/yiisoft/yii2/security/advisories/GHSA-5vpg-rj7q-qpw2
Metrics		cvssV3_1 `{'score': 7.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N'}`

Subscriptions

Yiisoft Yii2

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-05-20T19:51:03.769Z

Updated: 2026-05-21T13:03:41.018Z

Reserved: 2026-04-07T19:13:20.378Z

Link: CVE-2026-39850

Vulnrichment

Updated: 2026-05-21T13:03:37.726Z

NVD

Status : Deferred

Published: 2026-05-20T20:16:39.850

Modified: 2026-05-21T15:24:25.330

Link: CVE-2026-39850

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-21T08:18:43Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object