HIGH
yiisoft
CVE published 2026-05-20
CVE-2026-39850
CVE-2026-39850 is a Yii 2 framework flaw in the core view rendering path that can let caller-controlled parameters override the internal view filename before a require() call. In affected versions (2.0.54 and earlier), this can lead to local file inclusion and information disclosure, and may contribute to remote code execution if an attacker can place PHP files through another weakness. The issue is fixed [truncated]