CVE-2026-39850
Deferred Deferred - Pending Action
Local File Inclusion in Yii 2 PHP Framework

Publication date: 2026-05-20

Last updated on: 2026-05-20

Assigner: GitHub, Inc.

Description
Yii 2 is a PHP application framework. Versions 2.0.54 and prior contain flawed logic in the core view rendering method View::renderPhpFile() that leads to Local File Inclusion. The function calls extract($_params_, EXTR_OVERWRITE) before the require statement that loads the view file. As a result, a caller-controlled _file_ key in the $params array overwrites the internal local variable specifying which file to include, potentially enabling RCE if an attacker can write PHP files through a separate primitive, as well as information disclosure. This issue has been fixed in version 2.0.55.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-20
Last Modified
2026-05-20
Generated
2026-06-10
AI Q&A
2026-05-20
EPSS Evaluated
2026-06-08
NVD
CVE-2026-39850
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
yiisoft yii2 to 2.0.54 (exc)
yiisoft yii2 From 2.0.55 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
CWE-98 The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-39850 is a vulnerability in the Yii2 PHP framework versions 2.0.54 and prior. It occurs in the core view rendering method View::renderPhpFile(), where the function extract($_params_, EXTR_OVERWRITE) is called before including the view file. This allows an attacker to supply a specially crafted parameter named _file_ in the $params array, which overwrites the internal variable that specifies which file to include.

As a result, an attacker can manipulate the file path used in the include/require statement, potentially causing Local File Inclusion (LFI). If combined with another vulnerability that allows writing PHP files, this can lead to Remote Code Execution (RCE). The root cause is improper input validation and lack of control over the filename used for inclusion.

This issue was fixed in Yii2 version 2.0.55 by isolating internal variables using a closure-based renderer to prevent parameter collisions.

Impact Analysis

This vulnerability can lead to Local File Inclusion, allowing an attacker to read arbitrary files on the server, which may result in information disclosure.

If an attacker can also write PHP files through another vulnerability, they could achieve Remote Code Execution (RCE), enabling them to execute arbitrary code on the server.

The attack requires no privileges or user interaction but has high complexity. The impact includes confidentiality and integrity breaches, as indicated by the CVSS score of 7.4.

Mitigation Strategies

The immediate step to mitigate this vulnerability is to upgrade the Yii2 framework to version 2.0.55 or later, where the issue has been fixed.

No workarounds are available for this vulnerability, so applying the official patch is necessary.

Detection Guidance

Detection of CVE-2026-39850 involves identifying if your Yii2 framework version is 2.0.54 or prior, as these versions contain the vulnerable code in the View::renderPhpFile() method.

Since the vulnerability arises from the ability to overwrite the internal _file_ variable via the $params array, detection can focus on monitoring or scanning for suspicious requests that include a _file_ parameter in the input to view rendering functions.

There are no specific commands provided in the resources, but general approaches include:

  • Checking the Yii2 version installed on your system to confirm if it is 2.0.54 or earlier.
  • Reviewing web server logs or application logs for requests containing parameters named '_file' or unusual file path manipulations.
  • Using grep or similar tools to search your codebase for usage of View::renderPhpFile() and inspecting how parameters are passed.
  • Example command to check Yii2 version (if accessible via composer): composer show yiisoft/yii2 | grep versions
  • Example command to search logs for suspicious _file parameters: grep -r '_file=' /path/to/your/logs/
Compliance Impact

The vulnerability in Yii2 allows Local File Inclusion and potentially Remote Code Execution, which can lead to unauthorized information disclosure and system compromise.

Such security issues can impact compliance with standards like GDPR and HIPAA, which require protection of sensitive data and secure system operations to prevent unauthorized access and data breaches.

If exploited, this vulnerability could result in exposure of personal or protected health information, violating confidentiality and integrity requirements mandated by these regulations.

Therefore, organizations using affected Yii2 versions must apply the patch to maintain compliance and reduce risk of regulatory violations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-39850. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart