CVE-2026-39850: Yii 2: Local file inclusion via view parameter name collision

May 11, 2026

The core view rendering method View::renderPhpFile() calls extract($_params_, EXTR_OVERWRITE) before the require statement that includes the view file. A caller-controlled parameter named _file_ in the $params array overwrites the internal local variable that specifies which file is included — enabling a Local File Inclusion primitive.

References

github.com/advisories/GHSA-5vpg-rj7q-qpw2
github.com/yiisoft/yii2
github.com/yiisoft/yii2/commit/109878b491dbffa541032bc99fb5e26d12cd0375
github.com/yiisoft/yii2/releases/tag/2.0.55
github.com/yiisoft/yii2/security/advisories/GHSA-5vpg-rj7q-qpw2
nvd.nist.gov/vuln/detail/CVE-2026-39850

Code Behaviors & Features

Detect and mitigate CVE-2026-39850 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →