CVE-2020-36655: Command injection in yiisoft/yii2-gii

January 21, 2023 (updated April 2, 2025)

Yii Yii2 Gii before 2.2.2 allows remote attackers to execute arbitrary code via the Generator.php messageCategory field. The attacker can embed arbitrary PHP code into the model file.

References

github.com/advisories/GHSA-3mpg-q26j-83j5
github.com/yiisoft/yii2-gii
github.com/yiisoft/yii2-gii/commit/ed61e0d85f43e23f79d7c9d1b4e5e5c09a32ce4b
github.com/yiisoft/yii2-gii/issues/433
lab.wallarm.com/yii2-gii-remote-code-execution
nvd.nist.gov/vuln/detail/CVE-2020-36655

Code Behaviors & Features

Detect and mitigate CVE-2020-36655 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →