CVE-2026-39850

HIGH7.4EPSS 0.02%

Yii 2: Local file inclusion via view parameter name collision

發布日:2026/5/11修改日:2026/5/11

描述

The core view rendering method `View::renderPhpFile()` calls `extract($_params_, EXTR_OVERWRITE)` before the `require` statement that includes the view file. A caller-controlled parameter named `_file_` in the `$params` array overwrites the internal local variable that specifies which file is included — enabling a Local File Inclusion primitive. ### Impact - Local File Inclusion (arbitrary file read via non-PHP files) - Potential RCE if attacker can write PHP files via a separate primitive - Information disclosure ### Patches 2.0.55 ### Workarounds No.

受影響套件(1)

Packagist/yiisoft/yii2from 0, < 2.0.55

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	HIGH7.4	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

參考連結(4)

PATCHhttps://github.com/yiisoft/yii2
WEBhttps://github.com/yiisoft/yii2/commit/109878b491dbffa541032bc99fb5e26d12cd0375
WEBhttps://github.com/yiisoft/yii2/releases/tag/2.0.55
WEBhttps://github.com/yiisoft/yii2/security/advisories/GHSA-5vpg-rj7q-qpw2