{"id":"CVE-2026-39850","summary":"Yii 2: Local file inclusion via view parameter name collision","details":"Yii 2 is a PHP application framework. Versions 2.0.54 and prior contain flawed logic in the core view rendering method View::renderPhpFile() that leads to Local File Inclusion. The function calls extract($_params_, EXTR_OVERWRITE) before the require statement that loads the view file. As a result, a caller-controlled _file_ key in the $params array overwrites the internal local variable specifying which file to include, potentially enabling RCE if an attacker can write PHP files through a separate primitive, as well as information disclosure. This issue has been fixed in version 2.0.55.","aliases":["GHSA-5vpg-rj7q-qpw2"],"modified":"2026-07-15T01:48:58.013385318Z","published":"2026-05-20T19:51:03.769Z","database_specific":{"cwe_ids":["CWE-20","CWE-98"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/39xxx/CVE-2026-39850.json","cna_assigner":"GitHub_M"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/39xxx/CVE-2026-39850.json"},{"type":"ADVISORY","url":"https://github.com/yiisoft/yii2/security/advisories/GHSA-5vpg-rj7q-qpw2"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-39850"},{"type":"FIX","url":"https://github.com/yiisoft/yii2/commit/109878b491dbffa541032bc99fb5e26d12cd0375"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/yiisoft/yii2","events":[{"introduced":"0"},{"fixed":"109878b491dbffa541032bc99fb5e26d12cd0375"}],"database_specific":{"source":["AFFECTED_FIELD","REFERENCES"],"extracted_events":[{"introduced":"0"},{"fixed":"2.0.55"}]}}],"versions":["2.0.54","2.0.53","2.0.52","2.0.51","2.0.50","2.0.49.2","2.0.49.1","2.0.49","2.0.48.1","2.0.48","2.0.47","2.0.46","2.0.45","2.0.44","2.0.43","2.0.42.1","2.0.42","2.0.41.1","2.0.41","2.0.40","2.0.39.3","2.0.39.2","2.0.39.1","2.0.39","2.0.38","2.0.37","2.0.36","2.0.35","2.0.34","2.0.33","2.0.32","2.0.31","2.0.30","2.0.29","2.0.28","2.0.27","2.0.26","2.0.25","2.0.24","2.0.23","2.0.22","2.0.21","2.0.20","2.0.19","2.0.18","2.0.17","2.0.16.1","2.0.16","2.0.12","2.0.13.1","2.0.14.2","2.0.14.1","2.0.14","2.0.13","2.0.11.2","2.0.11.1","2.0.11","2.0.10","2.0.9","2.0.8","2.0.7","2.0.6","2.0.4","2.0.3","2.0.2","2.0.0-rc","2.0.0-beta","2.0.0-alpha"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-39850.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"}]}