CVE-2020-15148

HIGH NUCLEI

Yii 2 <2.0.38 - Remote Code Execution via Unsafe unserialize()

Title source: manual

Exploitation Summary

EIP tracks 2 public exploits for CVE-2020-15148. PoCs published by Maskhe, 0xkami. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains multiple proof-of-concept exploits for CVE-2020-15148, a Yii2 deserialization vulnerability. The PoCs demonstrate different bypass techniques to achieve remote code execution (RCE) via crafted serialized payloads.

Description

Yii 2 (yiisoft/yii2) before version 2.0.38 is vulnerable to remote code execution if the application calls `unserialize()` on arbitrary user input. This is fixed in version 2.0.38. A possible workaround without upgrading is available in the linked advisory.

Exploits (2)

nomisec WORKING POC 75 stars

by Maskhe · poc

https://github.com/Maskhe/CVE-2020-15148-bypasses

View Code ZIP pw:eip

This repository contains multiple proof-of-concept exploits for CVE-2020-15148, a Yii2 deserialization vulnerability. The PoCs demonstrate different bypass techniques to achieve remote code execution (RCE) via crafted serialized payloads.

Classification

Working Poc 95%

Attack Type

Deserialization

Complexity

Moderate

Reliability

Reliable

Target: Yii2 Framework (versions 2.0.37 and earlier)

No auth needed

Prerequisites: Access to a vulnerable Yii2 application with unserialization of user-controlled input

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 6 stars

by 0xkami · poc

https://github.com/0xkami/cve-2020-15148

View Code ZIP pw:eip

This PoC demonstrates a PHP deserialization vulnerability (CVE-2020-15148) in Yii2 applications, leveraging a gadget chain to achieve remote code execution (RCE) via the `system` function. The exploit constructs a malicious serialized payload that triggers arbitrary command execution when deserialized.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Yii2 Framework (versions affected by CVE-2020-15148)

No auth needed

Prerequisites: Target application must be using a vulnerable version of Yii2 · The `unserialize` function must be reachable via user input (e.g., through a parameter like `name`)

MITRE ATT&CK

T1189 - Drive-by Compromise T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Yii 2 < 2.0.38 - Remote Code Execution

CRITICALby pikpikcu

References (2)

Core 2

Core References

Mitigation, Third Party Advisory x_refsource_confirm

https://github.com/yiisoft/yii2/security/advisories/GHSA-699q-wcff-g9mj

Patch, Third Party Advisory x_refsource_misc

https://github.com/yiisoft/yii2/commit/9abccb96d7c5ddb569f92d1a748f50ee9b3e2b99

View Patch ZIP pw:eip

Scores

CVSS v3 8.9

EPSS 0.7923

EPSS Percentile 99.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:H

Details

CWE

CWE-502

Status published

Products (2)

yiiframework/yii < 2.0.38

yiisoft/yii2 0 - 2.0.38Packagist

Published Sep 15, 2020

Tracked Since Feb 18, 2026