Back to KEVs

CVE-2024-58136

Yii 2 before 2.0.52 mishandles the attaching of behavior that is defined by an __class array key, a CVE-2024-4990 regression, as exploited in the...

Basic Information

CVE State: PUBLISHED
Reserved Date: April 10, 2025
Published Date: April 10, 2025
Last Updated: April 10, 2025
Vendor: yiiframework
Product: Yii
Description: Yii 2 before 2.0.52 mishandles the attaching of behavior that is defined by an __class array key, a CVE-2024-4990 regression, as exploited in the wild in February through April 2025.

CVSS Scores

CVSS v3.1

9.0 - CRITICAL

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

EPSS Score

Score: 0.07% (Percentile: 22.00%) as of 2025-04-29

SSVC Information

Exploitation: none
Technical Impact: total

Exploit Status

Exploited in the Wild: Yes (added 2025-04-10 00:00:00 UTC) Source

References

https://github.com/yiisoft/yii2/pull/20232 https://github.com/yiisoft/yii2/pull/20232#issuecomment-2252459709 https://github.com/yiisoft/yii2/commit/40fe496eda529fd1d933b56a1022ec32d3cd0b12 https://github.com/yiisoft/yii2/compare/2.0.51...2.0.52 https://www.yiiframework.com/news/709/please-upgrade-to-yii-2-0-52

Known Exploited Vulnerability Information

Source	Added Date
CVE	2025-04-10 00:00:00 UTC

Recent Mentions

Hackers Exploit Critical Craft CMS Flaws; Hundreds of Servers Likely Compromised

Source: TheHackerNews • Published: 2025-04-28 07:13:00 UTC

Threat actors have been observed exploiting two newly disclosed critical security flaws in Craft CMS in zero-day attacks to breach servers and gain unauthorized access. The attacks, first observed by Orange Cyberdefense SensePost on February 14, 2025, involve chaining the below vulnerabilities - CVE-2024-58136 (CVSS score: 9.0) - An improper protection of alternate path flaw in the Yii PHP