Vendor
A local file inclusion vulnerability (CVE-2026-39850) exists in Yii 2 versions prior to 2.0.55 due to the `View::renderPhpFile()` method's handling of the `_file_` parameter, allowing attackers to read arbitrary files and potentially achieve remote code execution if they can write PHP files.