CVE-2020-15148

HIGH NUCLEI

Yii 2 <2.0.38 - RCE

Title source: llm

Description

Yii 2 (yiisoft/yii2) before version 2.0.38 is vulnerable to remote code execution if the application calls `unserialize()` on arbitrary user input. This is fixed in version 2.0.38. A possible workaround without upgrading is available in the linked advisory.

Exploits (2)

nomisec WORKING POC 75 stars

by Maskhe · poc

https://github.com/Maskhe/CVE-2020-15148-bypasses

View Code ZIP pw:eip

nomisec WORKING POC 6 stars

by 0xkami · poc

https://github.com/0xkami/cve-2020-15148

View Code ZIP pw:eip

Nuclei Templates (1)

Yii 2 < 2.0.38 - Remote Code Execution

CRITICALby pikpikcu

References (2)

[Patch, Third Party Advisory] https://github.com/yiisoft/yii2/commit/9abccb96d7c5ddb569f92d1a748f50ee9b3e2b99

[Mitigation, Third Party Advisory] https://github.com/yiisoft/yii2/security/advisories/GHSA-699q-wcff-g9mj

Scores

CVSS v3 8.9

EPSS 0.9343

EPSS Percentile 99.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:H

Classification

CWE

CWE-502

Status published

Affected Products (2)

yiiframework/yii < 2.0.38

yiisoft/yii2 < 2.0.38Packagist

Timeline

Published Sep 15, 2020

Tracked Since Feb 18, 2026