CVE-2026-39850— Yii 2: Local file inclusion via view parameter name collision
Possible ATT&CK Techniques 2AI
T1203 · Exploitation for Client Execution T1190 · Exploit Public-Facing ApplicationGet alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-39850
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Yii 2: Local file inclusion via view parameter name collision
Source: NVD (National Vulnerability Database)
Vulnerability Description
Yii 2 is a PHP application framework. Versions 2.0.54 and prior contain flawed logic in the core view rendering method View::renderPhpFile() that leads to Local File Inclusion. The function calls extract($_params_, EXTR_OVERWRITE) before the require statement that loads the view file. As a result, a caller-controlled _file_ key in the $params array overwrites the internal local variable specifying which file to include, potentially enabling RCE if an attacker can write PHP files through a separate primitive, as well as information disclosure. This issue has been fixed in version 2.0.55.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
输入验证不恰当
Source: NVD (National Vulnerability Database)
Vulnerability Title
Yii 输入验证错误漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Yii是YII团队的开发的一套基于组件、用于开发大型Web应用的高性能PHP框架。 Yii 2 2.0.54及之前版本存在输入验证错误漏洞,该漏洞源于核心视图渲染方法View::renderPhpFile()中逻辑缺陷导致本地文件包含,可能通过参数覆盖内部变量导致远程代码执行和信息泄露。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-39850
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCVerified env Premium
Real sandbox recording· Watch the recording below to confirm the POC actually triggers the vulnerability.
Sandbox build & launch
Qwen3.6-35B-A3B · 10045 chars
Paid plan includes:
In-depth vulnerability mechanism
Trigger conditions & impact
Full executable POC code
Exploit chain & mitigation
POC zip download
100+ AI POC generations per month
III. Intelligence Information for CVE-2026-39850
请登录查看更多情报信息。
Advisory · 1Patch · 1
IV. Related Vulnerabilities
Same vendor: yiisoft
- CVE-2025-48493
Yii 2 Redis may expose AUTH paramters in logs in case of con - CVE-2025-32027
Yii does not prevent XSS in scenarios where fallback error r - CVE-2025-2690
yiisoft Yii2 MockClass.php generate deserialization - CVE-2025-2689
yiisoft Yii2 SortableIterator.php getIterator deserializatio - CVE-2024-4990
Unsafe Reflection in base Component class in yiisoft/yii2
V. Comments for CVE-2026-39850
No comments yet