Django REST framework

Lookup for vulnerabilities affecting packages.

Vulnerability_id VCID-1yn3-2dn2-t7ec

Summary

Command injection in yiisoft/yii2-gii
Yii Yii2 Gii before 2.2.2 allows remote attackers to execute arbitrary code via the Generator.php messageCategory field. The attacker can embed arbitrary PHP code into the model file.

Aliases

alias	CVE-2020-36655

alias	GHSA-3mpg-q26j-83j5

Fixed_packages

url pkg:composer/yiisoft/yii2-gii@2.2.2

purl pkg:composer/yiisoft/yii2-gii@2.2.2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-j49j-9han-aug5

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/yiisoft/yii2-gii@2.2.2

Affected_packages

url pkg:composer/yiisoft/yii2-gii@2.0.5

purl pkg:composer/yiisoft/yii2-gii@2.0.5

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1yn3-2dn2-t7ec

vulnerability	VCID-j49j-9han-aug5

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/yiisoft/yii2-gii@2.0.5

url pkg:composer/yiisoft/yii2-gii@2.0.6

purl pkg:composer/yiisoft/yii2-gii@2.0.6

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1yn3-2dn2-t7ec

vulnerability	VCID-j49j-9han-aug5

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/yiisoft/yii2-gii@2.0.6

url pkg:composer/yiisoft/yii2-gii@2.0.7

purl pkg:composer/yiisoft/yii2-gii@2.0.7

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1yn3-2dn2-t7ec

vulnerability	VCID-j49j-9han-aug5

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/yiisoft/yii2-gii@2.0.7

url pkg:composer/yiisoft/yii2-gii@2.0.8

purl pkg:composer/yiisoft/yii2-gii@2.0.8

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1yn3-2dn2-t7ec

vulnerability	VCID-j49j-9han-aug5

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/yiisoft/yii2-gii@2.0.8

url pkg:composer/yiisoft/yii2-gii@2.1.0

purl pkg:composer/yiisoft/yii2-gii@2.1.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1yn3-2dn2-t7ec

vulnerability	VCID-j49j-9han-aug5

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/yiisoft/yii2-gii@2.1.0

url pkg:composer/yiisoft/yii2-gii@2.1.1

purl pkg:composer/yiisoft/yii2-gii@2.1.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1yn3-2dn2-t7ec

vulnerability	VCID-j49j-9han-aug5

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/yiisoft/yii2-gii@2.1.1

url pkg:composer/yiisoft/yii2-gii@2.1.2

purl pkg:composer/yiisoft/yii2-gii@2.1.2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1yn3-2dn2-t7ec

vulnerability	VCID-j49j-9han-aug5

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/yiisoft/yii2-gii@2.1.2

url pkg:composer/yiisoft/yii2-gii@2.1.3

purl pkg:composer/yiisoft/yii2-gii@2.1.3

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1yn3-2dn2-t7ec

vulnerability	VCID-j49j-9han-aug5

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/yiisoft/yii2-gii@2.1.3

url pkg:composer/yiisoft/yii2-gii@2.1.4

purl pkg:composer/yiisoft/yii2-gii@2.1.4

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1yn3-2dn2-t7ec

vulnerability	VCID-j49j-9han-aug5

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/yiisoft/yii2-gii@2.1.4

url pkg:composer/yiisoft/yii2-gii@2.2.0

purl pkg:composer/yiisoft/yii2-gii@2.2.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1yn3-2dn2-t7ec

vulnerability	VCID-j49j-9han-aug5

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/yiisoft/yii2-gii@2.2.0

url pkg:composer/yiisoft/yii2-gii@2.2.1

purl pkg:composer/yiisoft/yii2-gii@2.2.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1yn3-2dn2-t7ec

vulnerability	VCID-j49j-9han-aug5

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/yiisoft/yii2-gii@2.2.1

url pkg:composer/yiisoft/yii2-gii@2.0.0-alpha

purl pkg:composer/yiisoft/yii2-gii@2.0.0-alpha

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1yn3-2dn2-t7ec

vulnerability	VCID-hhby-y7fg-tqax

vulnerability	VCID-j49j-9han-aug5

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/yiisoft/yii2-gii@2.0.0-alpha

url pkg:composer/yiisoft/yii2-gii@2.0.0-beta

purl pkg:composer/yiisoft/yii2-gii@2.0.0-beta

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1yn3-2dn2-t7ec

vulnerability	VCID-hhby-y7fg-tqax

vulnerability	VCID-j49j-9han-aug5

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/yiisoft/yii2-gii@2.0.0-beta

url pkg:composer/yiisoft/yii2-gii@2.0.0-rc

purl pkg:composer/yiisoft/yii2-gii@2.0.0-rc

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1yn3-2dn2-t7ec

vulnerability	VCID-hhby-y7fg-tqax

vulnerability	VCID-j49j-9han-aug5

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/yiisoft/yii2-gii@2.0.0-rc

url pkg:composer/yiisoft/yii2-gii@2.0.0

purl pkg:composer/yiisoft/yii2-gii@2.0.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1yn3-2dn2-t7ec

vulnerability	VCID-hhby-y7fg-tqax

vulnerability	VCID-j49j-9han-aug5

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/yiisoft/yii2-gii@2.0.0

url pkg:composer/yiisoft/yii2-gii@2.0.1

purl pkg:composer/yiisoft/yii2-gii@2.0.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1yn3-2dn2-t7ec

vulnerability	VCID-hhby-y7fg-tqax

vulnerability	VCID-j49j-9han-aug5

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/yiisoft/yii2-gii@2.0.1

url pkg:composer/yiisoft/yii2-gii@2.0.2

purl pkg:composer/yiisoft/yii2-gii@2.0.2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1yn3-2dn2-t7ec

vulnerability	VCID-hhby-y7fg-tqax

vulnerability	VCID-j49j-9han-aug5

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/yiisoft/yii2-gii@2.0.2

url pkg:composer/yiisoft/yii2-gii@2.0.3

purl pkg:composer/yiisoft/yii2-gii@2.0.3

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1yn3-2dn2-t7ec

vulnerability	VCID-hhby-y7fg-tqax

vulnerability	VCID-j49j-9han-aug5

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/yiisoft/yii2-gii@2.0.3

url pkg:composer/yiisoft/yii2-gii@2.0.4

purl pkg:composer/yiisoft/yii2-gii@2.0.4

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1yn3-2dn2-t7ec

vulnerability	VCID-j49j-9han-aug5

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/yiisoft/yii2-gii@2.0.4

References

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2020-36655

reference_id

reference_type

scores

value	0.04201
scoring_system	epss
scoring_elements	0.88941
published_at	2026-06-05T12:55:00Z

value	0.04201
scoring_system	epss
scoring_elements	0.88924
published_at	2026-06-04T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2020-36655

reference_url

https://github.com/yiisoft/yii2-gii

reference_id

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/yiisoft/yii2-gii

reference_url

https://github.com/yiisoft/yii2-gii/commit/ed61e0d85f43e23f79d7c9d1b4e5e5c09a32ce4b

reference_id

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/yiisoft/yii2-gii/commit/ed61e0d85f43e23f79d7c9d1b4e5e5c09a32ce4b

reference_url

https://github.com/yiisoft/yii2-gii/issues/433

reference_id

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-04-02T13:47:08Z/

url

https://github.com/yiisoft/yii2-gii/issues/433

reference_url

https://lab.wallarm.com/yii2-gii-remote-code-execution

reference_id

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://lab.wallarm.com/yii2-gii-remote-code-execution

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2020-36655

reference_id

CVE-2020-36655

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2020-36655

reference_url	https://github.com/advisories/GHSA-3mpg-q26j-83j5
reference_id	GHSA-3mpg-q26j-83j5
reference_type
scores
url	https://github.com/advisories/GHSA-3mpg-q26j-83j5

reference_url

https://lab.wallarm.com/yii2-gii-remote-code-execution/

reference_id

yii2-gii-remote-code-execution

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-04-02T13:47:08Z/

url

https://lab.wallarm.com/yii2-gii-remote-code-execution/

Weaknesses

cwe_id	94
name	Improper Control of Generation of Code ('Code Injection')
description	The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

cwe_id	937
name	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
description	Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013.

cwe_id	1035
name	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
description	Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017.

Exploits

Severity_range_score 7.0 - 8.9

Exploitability null

Weighted_severity null

Risk_score null

Resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-1yn3-2dn2-t7ec

Vulnerability Instance