HIGH 7.4

GHSA-5vpg-rj7q-qpw2

Yii 2: Local file inclusion via view parameter name collision

Details

The core view rendering method `View::renderPhpFile()` calls `extract($_params_, EXTR_OVERWRITE)` before the `require` statement that includes the view file. A caller-controlled parameter named `_file_` in the `$params` array overwrites the internal local variable that specifies which file is included — enabling a Local File Inclusion primitive.

### Impact

- Local File Inclusion (arbitrary file read via non-PHP files) - Potential RCE if attacker can write PHP files via a separate primitive - Information disclosure

### Patches

2.0.55

### Workarounds

No.

Are you affected?

Enter the version of the package you're using.

Affected packages

Packagist / yiisoft/yii2

Introduced in: 0 Fixed in: 2.0.55

Fix composer require yiisoft/yii2:^2.0.55

References

https://github.com/yiisoft/yii2/security/advisories/GHSA-5vpg-rj7q-qpw2 [WEB]
https://nvd.nist.gov/vuln/detail/CVE-2026-39850 [ADVISORY]
https://github.com/yiisoft/yii2/commit/109878b491dbffa541032bc99fb5e26d12cd0375 [WEB]
https://github.com/yiisoft/yii2 [PACKAGE]
https://github.com/yiisoft/yii2/releases/tag/2.0.55 [WEB]