VulnerableCode Package Details - pkg:composer/yiisoft/yii2@2.0.29

Search for packages

Vulnerability	Summary	Fixed by
VCID-7kx3-sxex-f7dz Aliases: CVE-2024-58136 GHSA-ggwg-cmwp-46r5	yiisoft/yii2 Mishandles the Attaching of Behavior Defined by a `__class` Array Key Yii 2 before 2.0.52 mishandles the attaching of behavior that is defined by an __class array key, a CVE-2024-4990 regression, as exploited in the wild in February through April 2025.	2.0.52 Affected by 0 other vulnerabilities.
VCID-gwmb-kcz9-d7b9 Aliases: CVE-2020-15148 GHSA-699q-wcff-g9mj	Deserialization of Untrusted Data Yii 2 is vulnerable to remote code execution if the application calls `unserialize()` on arbitrary user input.	2.0.38 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-nnt3-u39w-yqa9 Aliases: CVE-2024-4990 GHSA-cjcc-p67m-7qxm	Unsafe Reflection in base Component class in yiisoft/yii2 Yii2 supports attaching Behaviors to Components by setting properties having the format `'as <behaviour-name>'`. Internally this is done using the `__set()` magic method. If the value passed to this method is not an instance of the `Behavior` class, a new object is instantiated using `Yii::createObject($value)`. However, there is no validation check that verifies that `$value` is a valid `Behavior` class name or configuration. An attacker that can control the content of the $value variable can then instantiate arbitrary classes, passing parameters to their constructors and then invoking setter methods.	2.0.49+4 Affected by 0 other vulnerabilities. 2.0.50 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-7kx3-sxex-f7dz
Aliases:
CVE-2024-58136
GHSA-ggwg-cmwp-46r5

yiisoft/yii2 Mishandles the Attaching of Behavior Defined by a `__class` Array Key Yii 2 before 2.0.52 mishandles the attaching of behavior that is defined by an __class array key, a CVE-2024-4990 regression, as exploited in the wild in February through April 2025.

2.0.52
Affected by 0 other vulnerabilities.

VCID-gwmb-kcz9-d7b9
Aliases:
CVE-2020-15148
GHSA-699q-wcff-g9mj

Deserialization of Untrusted Data Yii 2 is vulnerable to remote code execution if the application calls `unserialize()` on arbitrary user input.

2.0.38
Affected by 2 other vulnerabilities.

VCID-nnt3-u39w-yqa9
Aliases:
CVE-2024-4990
GHSA-cjcc-p67m-7qxm

Unsafe Reflection in base Component class in yiisoft/yii2 Yii2 supports attaching Behaviors to Components by setting properties having the format `'as <behaviour-name>'`. Internally this is done using the `__set()` magic method. If the value passed to this method is not an instance of the `Behavior` class, a new object is instantiated using `Yii::createObject($value)`. However, there is no validation check that verifies that `$value` is a valid `Behavior` class name or configuration. An attacker that can control the content of the $value variable can then instantiate arbitrary classes, passing parameters to their constructors and then invoking setter methods.

2.0.49+4
Affected by 0 other vulnerabilities.

2.0.50
Affected by 1 other vulnerability.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-06T05:46:45.723993+00:00	GitLab Importer	Affected by	VCID-7kx3-sxex-f7dz	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/yiisoft/yii2/CVE-2024-58136.yml	38.6.0
2026-06-06T05:01:58.397600+00:00	GitLab Importer	Affected by	VCID-nnt3-u39w-yqa9	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/yiisoft/yii2/CVE-2024-4990.yml	38.6.0
2026-06-04T20:38:56.769563+00:00	GitLab Importer	Affected by	VCID-gwmb-kcz9-d7b9	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/yiisoft/yii2/CVE-2020-15148.yml	38.6.0