Local File Inclusion Flaw in Yii 2 Framework by Yiisoft
CVE-2026-39850

7.4HIGH

Key Information:

Vendor: Yiisoft
Status: Yii2
Vendor: CVE Published:; 20 May 2026

What is CVE-2026-39850?

The Yii 2 Framework, specifically in versions 2.0.54 and earlier, suffers from a Local File Inclusion vulnerability due to a flaw within the core view rendering method, View::renderPhpFile(). This flaw arises from improper handling of parameters, allowing an attacker to manipulate the internal file-path variable. If an attacker manages to control the file key in the $params array, they can potentially overwrite it to include arbitrary PHP files. This could lead to Remote Code Execution (RCE) if the attacker has another method to write PHP files on the server, as well as exposing sensitive information. The issue has been addressed in version 2.0.55.

Affected Version(s)

yii2 < 2.0.55

References

https://github.com/yiisoft/yii2/security/advisories/GHSA-...

x_refsource_CONFIRM

https://github.com/yiisoft/yii2/commit/109878b491dbffa541...

x_refsource_MISC

CVSS V3.1

Score:

7.4

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 20, 2026
Vulnerability Reserved
Apr 7, 2026

CVE-2026-39850 Data

JSON