CVE-2026-39850
Local File Inclusion in Yii 2 PHP Framework
Publication date: 2026-05-20
Last updated on: 2026-05-20
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| yiisoft | yii2 | to 2.0.54 (exc) |
| yiisoft | yii2 | From 2.0.55 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-98 | The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions. |
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in Yii2 allows Local File Inclusion and potentially Remote Code Execution, which can lead to unauthorized information disclosure and system compromise.
Such security issues can impact compliance with standards like GDPR and HIPAA, which require protection of sensitive data and secure system operations to prevent unauthorized access and data breaches.
If exploited, this vulnerability could result in exposure of personal or protected health information, violating confidentiality and integrity requirements mandated by these regulations.
Therefore, organizations using affected Yii2 versions must apply the patch to maintain compliance and reduce risk of regulatory violations.
Can you explain this vulnerability to me?
CVE-2026-39850 is a vulnerability in the Yii2 PHP framework versions 2.0.54 and prior. It occurs in the core view rendering method View::renderPhpFile(), where the function extract($_params_, EXTR_OVERWRITE) is called before including the view file. This allows an attacker to supply a specially crafted parameter named _file_ in the $params array, which overwrites the internal variable that specifies which file to include.
As a result, an attacker can manipulate the file path used in the include/require statement, potentially causing Local File Inclusion (LFI). If combined with another vulnerability that allows writing PHP files, this can lead to Remote Code Execution (RCE). The root cause is improper input validation and lack of control over the filename used for inclusion.
This issue was fixed in Yii2 version 2.0.55 by isolating internal variables using a closure-based renderer to prevent parameter collisions.
How can this vulnerability impact me? :
This vulnerability can lead to Local File Inclusion, allowing an attacker to read arbitrary files on the server, which may result in information disclosure.
If an attacker can also write PHP files through another vulnerability, they could achieve Remote Code Execution (RCE), enabling them to execute arbitrary code on the server.
The attack requires no privileges or user interaction but has high complexity. The impact includes confidentiality and integrity breaches, as indicated by the CVSS score of 7.4.
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to upgrade the Yii2 framework to version 2.0.55 or later, where the issue has been fixed.
No workarounds are available for this vulnerability, so applying the official patch is necessary.