CVE-2024-58136
CVSS Score
9.0
EPSS Score
0.0%
EPSS Percentile
0th
Yii 2 before 2.0.52 mishandles the attaching of behavior that is defined by an __class array key, a CVE-2024-4990 regression, as exploited in the wild in February through April 2025.
| CWE | CWE-424 |
| Vendor | yiiframework |
| Product | yii |
| Published | Apr 10, 2025 |
| Last Updated | Oct 21, 2025 |
โ ๏ธ Actively Exploited โ Act Now
Get instant alerts for yiiframework yii
This vulnerability is actively exploited in the wild. Set up free real-time alerts so you're first to know about threats like CVE-2024-58136.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Affected Versions
yiiframework / Yii
2 < 2.0.52
References
github.com: https://github.com/yiisoft/yii2/pull/20232 github.com: https://github.com/yiisoft/yii2/pull/20232#issuecomment-2252459709 github.com: https://github.com/yiisoft/yii2/commit/40fe496eda529fd1d933b56a1022ec32d3cd0b12 github.com: https://github.com/yiisoft/yii2/compare/2.0.51...2.0.52 yiiframework.com: https://www.yiiframework.com/news/709/please-upgrade-to-yii-2-0-52 sensepost.com: https://sensepost.com/blog/2025/investigating-an-in-the-wild-campaign-using-rce-in-craftcms/ cisa.gov: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-58136