Cyber Resilience

CVE-2023-26750

CriticalPublic PoC

Published: 04 April 2023

Published
04 April 2023
Modified
13 February 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.1102 93.6th percentile
Risk Priority 26 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-26750 is a critical-severity SQL Injection (CWE-89) vulnerability in Yiiframework Yii. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 6.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

CVE-2023-26750 is a SQL injection vulnerability in the Yii 2 Framework prior to version 2.0.47 that permits remote code execution through the runAction function. The issue is tracked under CWE-89 and CWE-79 and carries a CVSS 3.1 base score of 9.8. The framework maintainers have stated that the flaw resides in third-party code rather than the Yii codebase itself.

An unauthenticated remote attacker can invoke runAction over the network to inject SQL and achieve arbitrary code execution, resulting in full confidentiality, integrity, and availability impact on affected installations.

Public discussion of the issue is contained in the referenced GitHub issue thread, which includes maintainer comments reiterating that the root cause lies outside the framework and providing guidance on responsible disclosure and patching of the implicated third-party component. The associated EPSS score reached a peak of 0.1364 and currently stands at 0.1102.

EU & UK References

Vulnerability details

SQL injection vulnerability found in Yii Framework Yii 2 Framework before v.2.0.47 allows the a remote attacker to execute arbitrary code via the runAction function. NOTE: the software maintainer's position is that the vulnerability is in third-party code, not in…

more

the framework.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

yiiframework
yii
2.0.0 — 2.0.47

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-79 CWE-89

Penetration testing submits XSS payloads to web applications, detecting cross-site scripting flaws for subsequent remediation.

addresses: CWE-79 CWE-89

Validates web inputs to reject script-related content that could produce XSS.

addresses: CWE-79

Output validation against expected content can reject or sanitize script content in generated web pages, reducing XSS exploitability.

References