CVE-2025-32027: 
PHP vulnerability analysis and mitigation

CVE-2025-32027 is a security vulnerability affecting Yii, an open source PHP web framework. The vulnerability was discovered and disclosed on April 10, 2025, and affects versions prior to 1.1.31. The issue is identified as a Reflected Cross-Site Scripting (XSS) vulnerability that occurs in specific scenarios where the fallback error renderer is used (NVD, GitHub Advisory).

The vulnerability is classified as a Reflected XSS issue with a CVSS v3.1 base score of 6.1 (Medium severity). The attack vector is network-based (AV:N), with low attack complexity (AC:L), requiring no privileges (PR:N) but needs user interaction (UI:R). The scope is changed (S:C), with low impacts on both confidentiality and integrity (C:L, I:L), and no impact on availability (A:N). The vulnerability is tracked under CWE-79 (Improper Neutralization of Input During Web Page Generation) and CWE-80 (Improper Neutralization of Script-Related HTML Tags in a Web Page) (GitHub Advisory).

When exploited, this vulnerability could allow attackers to execute arbitrary web script or HTML code in the context of the affected application when the fallback error renderer is used. This could potentially lead to theft of sensitive information, session hijacking, or other client-side attacks (GitHub Advisory).

The vulnerability has been patched in Yii version 1.1.31. Users are strongly advised to upgrade their Yii framework installation to version 1.1.31 or higher to address this security issue. No alternative workarounds have been provided (GitHub Advisory).