CVE-2023-26750: Withdrawn: SQL injection in Yii 2
9.8
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.91437%
CWE
Published
4/4/2023
Updated
2/13/2025
KEV Status
No
Technology
PHP
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| yiisoft/yii2 | composer | < 2.0.47 | 2.0.47 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The analysis focuses on the function explicitly called out in all vulnerability descriptions (runAction) despite the framework maintainers' dispute. Runtime detection would see this controller method in the call stack when processing attacker-controlled parameters that flow into SQL queries. The function's role as a parameter receiver makes it a key indicator even if the actual injection occurs deeper in application-specific code that uses these parameters.