{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/yiisoft/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["yii2 (\u003c 2.0.55)"],"_cs_severities":["high"],"_cs_tags":["lfi","file-inclusion","php","cloud"],"_cs_type":"advisory","_cs_vendors":["Yiisoft"],"content_html":"\u003cp\u003eYii 2, a PHP framework, is vulnerable to a local file inclusion (LFI) vulnerability (CVE-2026-39850) affecting versions prior to 2.0.55. The vulnerability lies within the \u003ccode\u003eView::renderPhpFile()\u003c/code\u003e method, where the code calls \u003ccode\u003eextract($_params_, EXTR_OVERWRITE)\u003c/code\u003e before including the view file. This allows an attacker to control the \u003ccode\u003e_file_\u003c/code\u003e parameter within the \u003ccode\u003e$params\u003c/code\u003e array and overwrite the internal local variable that dictates which file is included. This vulnerability can be exploited to read arbitrary files on the server. If an attacker possesses the capability to write PHP files to the server through a separate vulnerability or misconfiguration, they could potentially leverage this LFI to achieve remote code execution (RCE). This vulnerability impacts systems using the vulnerable versions of the Yii 2 framework and highlights the risks associated with uncontrolled variable extraction.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a Yii 2 application running a version prior to 2.0.55.\u003c/li\u003e\n\u003cli\u003eThe attacker discovers a page or functionality that uses the \u003ccode\u003eView::renderPhpFile()\u003c/code\u003e method to render a view.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a request to this page, including a \u003ccode\u003e_file_\u003c/code\u003e parameter within the \u003ccode\u003e$params\u003c/code\u003e array.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eextract($_params_, EXTR_OVERWRITE)\u003c/code\u003e function within \u003ccode\u003eView::renderPhpFile()\u003c/code\u003e is called.\u003c/li\u003e\n\u003cli\u003eThe attacker-controlled \u003ccode\u003e_file_\u003c/code\u003e parameter overwrites the internal \u003ccode\u003e$file\u003c/code\u003e variable, which should point to the intended view file.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003erequire\u003c/code\u003e statement then includes the file specified by the attacker-controlled \u003ccode\u003e_file_\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eIf the attacker specifies a path to an existing file, the contents of that file are exposed.\u003c/li\u003e\n\u003cli\u003eIf the attacker can also write PHP code to the server (via another vulnerability or misconfiguration), the attacker can specify the path to that file, resulting in arbitrary code execution.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows attackers to read arbitrary files on the server. This can lead to information disclosure, including sensitive configuration files, source code, or user data. Furthermore, if an attacker can upload or create PHP files on the server, they can leverage this LFI vulnerability to achieve remote code execution, potentially leading to full system compromise. The number of potential victims depends on the number of applications using vulnerable versions of Yii 2.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to Yii 2 version 2.0.55 or later to patch CVE-2026-39850.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Yii2 LFI via file parameter overwrite\u0026rdquo; to your SIEM to detect exploitation attempts.\u003c/li\u003e\n\u003cli\u003eReview application code that uses \u003ccode\u003eView::renderPhpFile()\u003c/code\u003e and ensure that user-supplied input is not directly used to construct the \u003ccode\u003e$params\u003c/code\u003e array, specifically the \u003ccode\u003e_file_\u003c/code\u003e parameter.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-11T19:35:58Z","date_published":"2026-05-11T19:35:58Z","id":"https://feed.craftedsignal.io/briefs/2026-05-yii2-lfi/","summary":"A local file inclusion vulnerability (CVE-2026-39850) exists in Yii 2 versions prior to 2.0.55 due to the `View::renderPhpFile()` method's handling of the `_file_` parameter, allowing attackers to read arbitrary files and potentially achieve remote code execution if they can write PHP files.","title":"Yii 2 Local File Inclusion via View Parameter Name Collision (CVE-2026-39850)","url":"https://feed.craftedsignal.io/briefs/2026-05-yii2-lfi/"}],"language":"en","title":"CraftedSignal Threat Feed — Yiisoft","version":"https://jsonfeed.org/version/1.1"}