VulnerableCode Package Details - pkg:composer/yiisoft/yii2-dev@2.0.0-alpha

Staging Environment: Content and features may be unstable or change without notice.

Search for packages

Package details: pkg:composer/yiisoft/yii2-dev@2.0.0-alpha

Essentials
History (8)

purl	pkg:composer/yiisoft/yii2-dev@2.0.0-alpha

Next non-vulnerable version	3.0.0-alpha1
Latest non-vulnerable version	3.0.0-alpha1
Risk	10.0

Vulnerabilities affecting this package (8)

Vulnerability	Summary	Fixed by
VCID-4xj7-j7qz-2kd2 Aliases: CVE-2018-6010 GHSA-8gfq-c54m-3rf6	Information disclosure Remote attackers can obtain potentially sensitive information from exception messages printed by the error handler in non-debug mode.	2.0.14 Affected by 8 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-gwmb-kcz9-d7b9 Aliases: CVE-2020-15148 GHSA-699q-wcff-g9mj	Deserialization of Untrusted Data Yii 2 is vulnerable to remote code execution if the application calls `unserialize()` on arbitrary user input.	2.0.38 Affected by 4 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-hhby-y7fg-tqax Aliases: CVE-2015-3397 GHSA-w2xx-jp9f-gp8g	Cross-site Scripting Cross-site scripting (XSS) vulnerability in Yii Framework allows remote attackers to inject arbitrary web script or HTML via vectors related to JSON, arrays, and Internet Explorer 6	2.0.4 Affected by 12 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-jkfv-pxp7-9qba Aliases: CVE-2018-8073 GHSA-4hx3-m8w5-g5qh	Remote code execution Redis extension of Yii 2 allows remote attackers to execute arbitrary LUA code via a variant of the CVE-2018-7269 attack.	2.0.15 Affected by 6 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-uybn-p34d-pbga Aliases: CVE-2015-5467 GHSA-7cfq-72w2-24q4	Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') Class `yii\web\ViewAction` allowed to include arbitrary files that end with `.php`.	2.0.5 Affected by 11 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-x388-wd41-tkh3 Aliases: CVE-2025-2689 GHSA-88m2-j94x-v4fx	yiisoft Yii2 Deserialization of Untrusted Data A vulnerability, which was classified as critical, has been found in yiisoft Yii2 up to 2.0.45. Affected by this issue is the function getIterator of the file symfony\finder\Iterator\SortableIterator.php. The manipulation leads to deserialization. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.	2.0.46 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-x788-tu9q-byfu Aliases: CVE-2018-6009 GHSA-cwhm-272p-3wj9	CSRF vulnerability in switchIdentiy The `switchIdentity()` function in `web/User.php` did not regenerate the CSRF token upon a change of identity.	2.0.14 Affected by 8 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-y165-fy8y-2fcc Aliases: CVE-2018-7269 GHSA-hhg2-g6h6-c266	The `findByCondition` function in `framework/db/ActiveRecord.php` allows remote attackers to conduct SQL injection attacks via a `findOne()` or `findAll()à call, unless a developer recognizes an undocumented need to sanitize array input.	2.0.12+1 Affected by 0 other vulnerabilities. 2.0.12.1 Affected by 8 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 2.0.13+2 Affected by 0 other vulnerabilities. 2.0.13.2 Affected by 8 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 2.0.15 Affected by 6 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}

Vulnerabilities fixed by this package (0)

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-06T05:44:36.102532+00:00	GitLab Importer	Affected by	VCID-x388-wd41-tkh3	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/yiisoft/yii2-dev/CVE-2025-2689.yml	38.6.0
2026-06-04T20:38:55.673279+00:00	GitLab Importer	Affected by	VCID-gwmb-kcz9-d7b9	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/yiisoft/yii2-dev/CVE-2020-15148.yml	38.6.0
2026-06-04T20:11:38.934248+00:00	GitLab Importer	Affected by	VCID-jkfv-pxp7-9qba	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/yiisoft/yii2-dev/CVE-2018-8073.yml	38.6.0
2026-06-04T20:11:38.669852+00:00	GitLab Importer	Affected by	VCID-y165-fy8y-2fcc	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/yiisoft/yii2-dev/CVE-2018-7269.yml	38.6.0
2026-06-04T20:10:56.922996+00:00	GitLab Importer	Affected by	VCID-x788-tu9q-byfu	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/yiisoft/yii2-dev/CVE-2018-6009.yml	38.6.0
2026-06-04T20:10:56.570288+00:00	GitLab Importer	Affected by	VCID-4xj7-j7qz-2kd2	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/yiisoft/yii2-dev/CVE-2018-6010.yml	38.6.0
2026-06-04T20:04:56.258459+00:00	GitLab Importer	Affected by	VCID-uybn-p34d-pbga	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/yiisoft/yii2-dev/CVE-2015-5467.yml	38.6.0
2026-06-04T20:04:49.851891+00:00	GitLab Importer	Affected by	VCID-hhby-y7fg-tqax	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/yiisoft/yii2-dev/CVE-2015-3397.yml	38.6.0