Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:composer/yiisoft/yii2@2.0.23
Typecomposer
Namespaceyiisoft
Nameyii2
Version2.0.23
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version2.0.52
Latest_non_vulnerable_version2.0.55
Affected_by_vulnerabilities
0
url VCID-7kx3-sxex-f7dz
vulnerability_id VCID-7kx3-sxex-f7dz
summary 
yiisoft/yii2 Mishandles the Attaching of Behavior Defined by a `__class` Array Key
Yii 2 before 2.0.52 mishandles the attaching of behavior that is defined by an __class array key, a CVE-2024-4990 regression, as exploited in the wild in February through April 2025.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-58136
reference_id
reference_type
scores
0
value 0.77265
scoring_system epss
scoring_elements 0.98997
published_at 2026-06-06T12:55:00Z
1
value 0.78947
scoring_system epss
scoring_elements 0.99079
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-58136
1
reference_url https://github.com/yiisoft/yii2
reference_id
reference_type
scores
0
value 9.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/E:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/yiisoft/yii2
2
reference_url https://github.com/yiisoft/yii2/commit/40fe496eda529fd1d933b56a1022ec32d3cd0b12
reference_id
reference_type
scores
0
value 9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
1
value 9.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/E:H
2
value CRITICAL
scoring_system generic_textual
scoring_elements
3
value Attend
scoring_system ssvc
scoring_elements SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2025-05-02T17:42:11Z/
url https://github.com/yiisoft/yii2/commit/40fe496eda529fd1d933b56a1022ec32d3cd0b12
3
reference_url https://github.com/yiisoft/yii2/compare/2.0.51...2.0.52
reference_id
reference_type
scores
0
value 9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
1
value 9.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/E:H
2
value CRITICAL
scoring_system generic_textual
scoring_elements
3
value Attend
scoring_system ssvc
scoring_elements SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2025-05-02T17:42:11Z/
url https://github.com/yiisoft/yii2/compare/2.0.51...2.0.52
4
reference_url https://github.com/yiisoft/yii2/pull/20232
reference_id
reference_type
scores
0
value 9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
1
value 9.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/E:H
2
value CRITICAL
scoring_system generic_textual
scoring_elements
3
value Attend
scoring_system ssvc
scoring_elements SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2025-05-02T17:42:11Z/
url https://github.com/yiisoft/yii2/pull/20232
5
reference_url https://github.com/yiisoft/yii2/pull/20232#issuecomment-2252459709
reference_id
reference_type
scores
0
value 9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
1
value 9.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/E:H
2
value CRITICAL
scoring_system generic_textual
scoring_elements
3
value Attend
scoring_system ssvc
scoring_elements SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2025-05-02T17:42:11Z/
url https://github.com/yiisoft/yii2/pull/20232#issuecomment-2252459709
6
reference_url https://sensepost.com/blog/2025/investigating-an-in-the-wild-campaign-using-rce-in-craftcms
reference_id
reference_type
scores
0
value 9.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/E:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://sensepost.com/blog/2025/investigating-an-in-the-wild-campaign-using-rce-in-craftcms
7
reference_url https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-58136
reference_id
reference_type
scores
0
value 9.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/E:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-58136
8
reference_url https://www.yiiframework.com/news/709/please-upgrade-to-yii-2-0-52
reference_id
reference_type
scores
0
value 9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
1
value 9.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/E:H
2
value CRITICAL
scoring_system generic_textual
scoring_elements
3
value Attend
scoring_system ssvc
scoring_elements SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2025-05-02T17:42:11Z/
url https://www.yiiframework.com/news/709/please-upgrade-to-yii-2-0-52
9
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-58136
reference_id CVE-2024-58136
reference_type
scores
0
value 9.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/E:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-58136
10
reference_url https://github.com/advisories/GHSA-ggwg-cmwp-46r5
reference_id GHSA-ggwg-cmwp-46r5
reference_type
scores
url https://github.com/advisories/GHSA-ggwg-cmwp-46r5
fixed_packages
0
url pkg:composer/yiisoft/yii2@2.0.52
purl pkg:composer/yiisoft/yii2@2.0.52
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/yiisoft/yii2@2.0.52
aliases CVE-2024-58136, GHSA-ggwg-cmwp-46r5
risk_score 10.0
exploitability 2.0
weighted_severity 9.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-7kx3-sxex-f7dz
1
url VCID-gwmb-kcz9-d7b9
vulnerability_id VCID-gwmb-kcz9-d7b9
summary 
Deserialization of Untrusted Data
Yii 2 is vulnerable to remote code execution if the application calls `unserialize()` on arbitrary user input.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2020-15148
reference_id
reference_type
scores
0
value 0.93433
scoring_system epss
scoring_elements 0.99827
published_at 2026-06-05T12:55:00Z
1
value 0.93433
scoring_system epss
scoring_elements 0.99826
published_at 2026-06-06T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2020-15148
1
reference_url https://github.com/FriendsOfPHP/security-advisories/blob/master/yiisoft/yii2/CVE-2020-15148.yaml
reference_id
reference_type
scores
0
value 8.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/FriendsOfPHP/security-advisories/blob/master/yiisoft/yii2/CVE-2020-15148.yaml
2
reference_url https://github.com/yiisoft/yii2/commit/9abccb96d7c5ddb569f92d1a748f50ee9b3e2b99
reference_id
reference_type
scores
0
value 8.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/yiisoft/yii2/commit/9abccb96d7c5ddb569f92d1a748f50ee9b3e2b99
3
reference_url https://www.yiiframework.com/news/303/yii-2-0-38
reference_id
reference_type
scores
0
value 8.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.yiiframework.com/news/303/yii-2-0-38
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2020-15148
reference_id CVE-2020-15148
reference_type
scores
0
value 8.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2020-15148
5
reference_url https://github.com/advisories/GHSA-699q-wcff-g9mj
reference_id GHSA-699q-wcff-g9mj
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-699q-wcff-g9mj
6
reference_url https://github.com/yiisoft/yii2/security/advisories/GHSA-699q-wcff-g9mj
reference_id GHSA-699q-wcff-g9mj
reference_type
scores
0
value 8.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:H
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/yiisoft/yii2/security/advisories/GHSA-699q-wcff-g9mj
fixed_packages
0
url pkg:composer/yiisoft/yii2@2.0.38
purl pkg:composer/yiisoft/yii2@2.0.38
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-7kx3-sxex-f7dz
1
vulnerability VCID-nnt3-u39w-yqa9
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/yiisoft/yii2@2.0.38
aliases CVE-2020-15148, GHSA-699q-wcff-g9mj
risk_score 10.0
exploitability 2.0
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-gwmb-kcz9-d7b9
2
url VCID-nnt3-u39w-yqa9
vulnerability_id VCID-nnt3-u39w-yqa9
summary 
Unsafe Reflection in base Component class in yiisoft/yii2
Yii2 supports attaching Behaviors to Components by setting properties having the format `'as <behaviour-name>'`.

Internally this is done using the `__set()` magic method. If the value passed to this method is not an instance of the `Behavior` class, a new object is instantiated using `Yii::createObject($value)`. However, there is no validation check that verifies that `$value` is a valid `Behavior` class name or configuration. An attacker that can control the content of the $value variable can then instantiate arbitrary classes, passing parameters to their constructors and then invoking setter methods.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-4990
reference_id
reference_type
scores
0
value 0.002
scoring_system epss
scoring_elements 0.42035
published_at 2026-06-06T12:55:00Z
1
value 0.002
scoring_system epss
scoring_elements 0.42025
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-4990
1
reference_url https://github.com/yiisoft/yii2
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/yiisoft/yii2
2
reference_url https://github.com/yiisoft/yii2/blob/master/framework/CHANGELOG.md#2050-may-30-2024
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/yiisoft/yii2/blob/master/framework/CHANGELOG.md#2050-may-30-2024
3
reference_url https://github.com/yiisoft/yii2/commit/628d406bfafb80fc32147837888c0057d89a021e
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/yiisoft/yii2/commit/628d406bfafb80fc32147837888c0057d89a021e
4
reference_url https://github.com/yiisoft/yii2/commit/62d081f18c3602d09e7d075bba3a0ca5c313f0b4
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/yiisoft/yii2/commit/62d081f18c3602d09e7d075bba3a0ca5c313f0b4
5
reference_url https://github.com/yiisoft/yii2/pull/20183
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/yiisoft/yii2/pull/20183
6
reference_url https://huntr.com/bounties/4fbdd965-02b6-42e4-b57b-f98f93415b8f
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3
scoring_elements CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-03-20T13:30:40Z/
url https://huntr.com/bounties/4fbdd965-02b6-42e4-b57b-f98f93415b8f
7
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-4990
reference_id CVE-2024-4990
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-4990
8
reference_url https://github.com/FriendsOfPHP/security-advisories/blob/master/yiisoft/yii2/CVE-2024-4990.yaml
reference_id CVE-2024-4990.YAML
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/FriendsOfPHP/security-advisories/blob/master/yiisoft/yii2/CVE-2024-4990.yaml
9
reference_url https://github.com/advisories/GHSA-cjcc-p67m-7qxm
reference_id GHSA-cjcc-p67m-7qxm
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-cjcc-p67m-7qxm
10
reference_url https://github.com/yiisoft/yii2/security/advisories/GHSA-cjcc-p67m-7qxm
reference_id GHSA-cjcc-p67m-7qxm
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/yiisoft/yii2/security/advisories/GHSA-cjcc-p67m-7qxm
fixed_packages
0
url pkg:composer/yiisoft/yii2@2.0.49%2B4
purl pkg:composer/yiisoft/yii2@2.0.49%2B4
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/yiisoft/yii2@2.0.49%252B4
1
url pkg:composer/yiisoft/yii2@2.0.50
purl pkg:composer/yiisoft/yii2@2.0.50
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-7kx3-sxex-f7dz
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/yiisoft/yii2@2.0.50
aliases CVE-2024-4990, GHSA-cjcc-p67m-7qxm
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-nnt3-u39w-yqa9
Fixing_vulnerabilities
Risk_score10.0
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:composer/yiisoft/yii2@2.0.23