CVE-2026-39850
HIGH7.4EPSS 0.02%Yii 2: Local file inclusion via view parameter name collision
Published: 5/11/2026Modified: 5/11/2026
Also known as:GHSA-5vpg-rj7q-qpw2
Description
The core view rendering method `View::renderPhpFile()` calls `extract($_params_, EXTR_OVERWRITE)` before the `require` statement that includes the view file. A caller-controlled parameter named `_file_` in the `$params` array overwrites the internal local variable that specifies which file is included — enabling a Local File Inclusion primitive. ### Impact - Local File Inclusion (arbitrary file read via non-PHP files) - Potential RCE if attacker can write PHP files via a separate primitive - Information disclosure ### Patches 2.0.55 ### Workarounds No.
Affected packages (1)
- Packagist/yiisoft/yii2from 0, < 2.0.55
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.4 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N |