PatchSiren cyber security CVE debrief
CVE-2026-39850 yiisoft CVE debrief
CVE-2026-39850 is a Yii 2 framework flaw in the core view rendering path that can let caller-controlled parameters override the internal view filename before a require() call. In affected versions (2.0.54 and earlier), this can lead to local file inclusion and information disclosure, and may contribute to remote code execution if an attacker can place PHP files through another weakness. The issue is fixed in Yii 2.0.55.
- Vendor
- yiisoft
- Product
- yii2
- CVSS
- HIGH 7.4
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-20
- Original CVE updated
- 2026-05-21
- Advisory published
- 2026-05-20
- Advisory updated
- 2026-05-21
Who should care
Teams running Yii 2 applications, especially those that render PHP views with attacker-influenced parameters or operate writable directories that could be abused to place PHP files. Security and platform teams should prioritize this if the framework version is 2.0.54 or earlier.
Technical summary
The vulnerability is in View::renderPhpFile(). According to the supplied advisory text, the method calls extract($_params_, EXTR_OVERWRITE) before require loads the view file. That ordering allows a caller-controlled _file_ key in the $params array to overwrite the local variable that determines which file is included. The result is local file inclusion, with exposure of sensitive content possible and additional RCE risk if a separate file-write primitive exists. The CVE is mapped to CWE-20 and CWE-98 in the source corpus.
Defensive priority
High. NVD assigns CVSS 3.1 7.4 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N), and the flaw can affect confidentiality and integrity if the application’s rendering path is reachable with attacker-influenced input.
Recommended defensive actions
- Upgrade Yii 2 to version 2.0.55 or later as soon as practical.
- Review any code paths that call View::renderPhpFile() or pass parameters into view rendering, and ensure attacker-controlled data cannot influence the _file_ key or equivalent include target.
- Audit deployment permissions and writable directories to reduce the chance that a separate file-write issue could be combined with this flaw.
- Search for unexpected PHP files or other artifacts in web-writable paths as part of post-upgrade validation.
- Confirm your dependency inventory identifies all applications using affected Yii 2 versions and track remediation centrally.
Evidence notes
All claims above are derived from the supplied NVD record and the linked GitHub security advisory/commit. The source corpus states that Yii 2 versions 2.0.54 and prior are affected, that the flaw is in View::renderPhpFile() due to extract($_params_, EXTR_OVERWRITE) preceding require, and that version 2.0.55 contains the fix. The NVD record lists CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N and CWE-20/CWE-98.
Official resources
The CVE was published on 2026-05-20 in the supplied NVD record, with the same-day GitHub advisory and upstream fix commit cited in the source corpus. No KEV entry is present in the provided data.