Yii does not prevent XSS in scenarios where fallback error renderer is used
Affected versions of yiisoft/yii are vulnerable to Reflected XSS in specific scenarios where the fallback error renderer is used.
Advisories for Composer/Yiisoft/Yii package
2025
2023
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Yii is an open source PHP web framework. yiisoft/yii before version 1.1.29 is vulnerable to Remote Code Execution (RCE) if the application calls unserialize() on arbitrary user input. An attacker may leverage this vulnerability to compromise the host system. A fix has been developed for the 1.1.29 release. Users are advised to upgrade. There are no known workarounds for this vulnerability.
2022
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in yiisoft/yii.
2018
Information Exposure
In Yii Framework, remote attackers could obtain potentially sensitive information from exception messages, or exploit reflected XSS on the error handler page in non-debug mode. Related to base/ErrorHandler.php, log/Dispatcher.php, and views/errorHandler/exception.php.
Cross-Site Request Forgery (CSRF)
In Yii Framework, the switchIdentity function in web/User.php does not regenerate the CSRF token upon a change of identity.
2014
Code Injection
The CDetailView widget in Yii PHP Framework allows remote attackers to execute arbitrary PHP scripts via vectors related to the value property.