VulnerableCode Package Details - pkg:composer/yiisoft/yii2-dev@2.0.38

Staging Environment: Content and features may be unstable or change without notice.

Search for packages

Package details: pkg:composer/yiisoft/yii2-dev@2.0.38

Essentials
History (5)

purl	pkg:composer/yiisoft/yii2-dev@2.0.38

Next non-vulnerable version	3.0.0-alpha1
Latest non-vulnerable version	3.0.0-alpha1
Risk

Vulnerabilities affecting this package (4)

Vulnerability	Summary	Fixed by
VCID-6rub-m94d-jfct Aliases: CVE-2021-3689 GHSA-hq3v-rg6f-6hx4	Use of Insufficiently Random Values yii2 is vulnerable to use of predictable algorithm in a random number generator	2.0.43 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-gb9u-t143-vker Aliases: CVE-2021-3692 GHSA-wwvv-x5mq-h3jj	Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) yii2 is vulnerable to Use of Predictable Algorithm in Random Number Generator	2.0.43 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-x388-wd41-tkh3 Aliases: CVE-2025-2689 GHSA-88m2-j94x-v4fx	yiisoft Yii2 Deserialization of Untrusted Data A vulnerability, which was classified as critical, has been found in yiisoft Yii2 up to 2.0.45. Affected by this issue is the function getIterator of the file symfony\finder\Iterator\SortableIterator.php. The manipulation leads to deserialization. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.	2.0.46 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-xrgb-33bd-ckat Aliases: CVE-2023-26750 GHSA-gq63-p39p-jrjf	Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') SQL injection vulnerability found in Yii Framework Yii 2 Framework before v.2.0.47 allows the a remote attacker to execute arbitrary code via the runAction function.	3.0.0-alpha1 Affected by 0 other vulnerabilities.

Vulnerabilities fixed by this package (1)

Vulnerability	Summary	Aliases
VCID-gwmb-kcz9-d7b9	Deserialization of Untrusted Data Yii 2 is vulnerable to remote code execution if the application calls `unserialize()` on arbitrary user input.	CVE-2020-15148 GHSA-699q-wcff-g9mj

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-06T05:44:36.359698+00:00	GitLab Importer	Affected by	VCID-x388-wd41-tkh3	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/yiisoft/yii2-dev/CVE-2025-2689.yml	38.6.0
2026-06-06T03:38:46.894430+00:00	GitLab Importer	Affected by	VCID-xrgb-33bd-ckat	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/yiisoft/yii2-dev/CVE-2023-26750.yml	38.6.0
2026-06-06T00:49:56.075709+00:00	GitLab Importer	Affected by	VCID-6rub-m94d-jfct	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/yiisoft/yii2-dev/CVE-2021-3689.yml	38.6.0
2026-06-06T00:49:54.591337+00:00	GitLab Importer	Affected by	VCID-gb9u-t143-vker	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/yiisoft/yii2-dev/CVE-2021-3692.yml	38.6.0
2026-06-04T16:20:25.427983+00:00	GitLab Importer	Fixing	VCID-gwmb-kcz9-d7b9	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/yiisoft/yii2-dev/CVE-2020-15148.yml	38.6.0