{"id":"CVE-2020-36655","details":"Yii Yii2 Gii before 2.2.2 allows remote attackers to execute arbitrary code via the Generator.php messageCategory field. The attacker can embed arbitrary PHP code into the model file.","aliases":["GHSA-3mpg-q26j-83j5"],"modified":"2026-03-14T10:30:13.704780Z","published":"2023-01-21T01:15:12.343Z","references":[{"type":"REPORT","url":"https://github.com/yiisoft/yii2-gii/issues/433"},{"type":"EVIDENCE","url":"https://lab.wallarm.com/yii2-gii-remote-code-execution/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/yiisoft/yii2-gii","events":[{"introduced":"0"},{"fixed":"68efc6fb830feccfaa43354817b5bcd36c7bd5a8"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"2.2.2"}]}}],"versions":["2.0.0","2.0.0-beta","2.0.0-rc","2.0.1","2.0.2","2.0.3","2.0.4","2.0.5","2.0.6","2.0.7","2.0.8","2.1.0","2.1.1","2.1.2","2.1.3","2.1.4","2.2.0","2.2.1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-36655.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}