CVE-2026-39850— Yii 2: Local file inclusion via view parameter name collision
Possible ATT&CK Techniques 2AI
T1203 · Exploitation for Client Execution T1190 · Exploit Public-Facing ApplicationGet alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-39850
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Yii 2: Local file inclusion via view parameter name collision
Source: NVD (National Vulnerability Database)
Vulnerability Description
Yii 2 is a PHP application framework. Versions 2.0.54 and prior contain flawed logic in the core view rendering method View::renderPhpFile() that leads to Local File Inclusion. The function calls extract($_params_, EXTR_OVERWRITE) before the require statement that loads the view file. As a result, a caller-controlled _file_ key in the $params array overwrites the internal local variable specifying which file to include, potentially enabling RCE if an attacker can write PHP files through a separate primitive, as well as information disclosure. This issue has been fixed in version 2.0.55.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
输入验证不恰当
Source: NVD (National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-39850
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCVerified env Premium
Qwen3.6-35B-A3B · 10045 chars
Paid plan includes:
In-depth vulnerability mechanism
Trigger conditions & impact
Full executable POC code
Exploit chain & mitigation
POC zip download
100+ AI POC generations per month
III. Intelligence Information for CVE-2026-39850
请登录查看更多情报信息。
- https://github.com/yiisoft/yii2/security/advisories/GHSA-5vpg-rj7q-qpw2x_refsource_CONFIRM
- https://nvd.nist.gov/vuln/detail/CVE-2026-39850
IV. Related Vulnerabilities
Same vendor: yiisoft
- CVE-2025-48493
Yii 2 Redis may expose AUTH paramters in logs in case of con - CVE-2025-32027
Yii does not prevent XSS in scenarios where fallback error r - CVE-2025-2690
yiisoft Yii2 MockClass.php generate deserialization - CVE-2025-2689
yiisoft Yii2 SortableIterator.php getIterator deserializatio - CVE-2024-4990
Unsafe Reflection in base Component class in yiisoft/yii2
Same weakness: CWE-20
- CVE-2026-9124
Chrome <148.0.7778.179 输入验证不足致数据泄露 - CVE-2026-20240
Denial of Service through coldToFrozen.sh Script in Splunk E - CVE-2026-5946
Invalid handling of CLASS != IN - CVE-2026-31378
Apache OFBiz: JSON Attribute Override and URL Allowlist Bypa - CVE-2026-28751
filemanagement_storage_service has an improper input validat
V. Comments for CVE-2026-39850
No comments yet