We are releasing Yii 2.0.5 to fix a security issue found in the
yii\web\ViewAction class. We urge all users of the class to upgrade their Yii installation to this latest release. Upgrading from 2.0.4 to this release is very safe as the release does only contain the bugfix for the vulnerability and will not break your existing code.
The vulnerability is in the ViewAction action. It is possible to execute any PHP file (a file ending with
.php) on the disk by passing a relative path via
Since the issue was posted on the public issue tracker and is already known, we've fixed it and decided to make this release immediately.
We have reserved a CVE number (CVE-2015-5467) for this issue, which you can use to refer to it.