CVE-2023-26750

Name of the Vulnerable Software and Affected Versions Yii 2 Framework versions prior to 2.0.47

Description A SQL injection issue allows a remote attacker to execute arbitrary code via the runAction function. The software maintainer disputes that the vulnerability is in the framework itself, claiming it is in third-party code.

Recommendations For versions prior to 2.0.47, update to version 2.0.47 or later to resolve the issue. As a temporary workaround, consider restricting access to the runAction function until a patch is available.