CVE-2022-41922

HIGH

Yii < 1.1.27 - Insecure Deserialization

Title source: rule

Description

`yiisoft/yii` before version 1.1.27 are vulnerable to Remote Code Execution (RCE) if the application calls `unserialize()` on arbitrary user input. This has been patched in 1.1.27.

References (2)

[Patch, Third Party Advisory] https://github.com/yiisoft/yii/commit/ed67b7cc57216557c5c595c6650cdd2d3aa41c52

View Patch ZIP pw:eip

[Third Party Advisory] https://github.com/yiisoft/yii/security/advisories/GHSA-442f-wcwq-fpcf

Scores

CVSS v3 8.1

EPSS 0.0384

EPSS Percentile 88.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-502

Status published

Affected Products (2)

yiiframework/yii < 1.1.27

yiisoft/yii < 1.1.27Packagist

Timeline

Published Nov 23, 2022

Tracked Since Feb 18, 2026