{"id":"CVE-2024-58136","details":"Yii 2 before 2.0.52 mishandles the attaching of behavior that is defined by an __class array key, a CVE-2024-4990 regression, as exploited in the wild in February through April 2025.","aliases":["GHSA-ggwg-cmwp-46r5"],"modified":"2026-04-09T10:30:29.436561Z","published":"2025-04-10T03:15:17.767Z","references":[{"type":"WEB","url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-58136"},{"type":"ADVISORY","url":"https://www.yiiframework.com/news/709/please-upgrade-to-yii-2-0-52"},{"type":"REPORT","url":"https://github.com/yiisoft/yii2/compare/2.0.51...2.0.52"},{"type":"REPORT","url":"https://github.com/yiisoft/yii2/pull/20232#issuecomment-2252459709"},{"type":"FIX","url":"https://github.com/yiisoft/yii2/commit/40fe496eda529fd1d933b56a1022ec32d3cd0b12"},{"type":"FIX","url":"https://github.com/yiisoft/yii2/pull/20232"},{"type":"EVIDENCE","url":"https://sensepost.com/blog/2025/investigating-an-in-the-wild-campaign-using-rce-in-craftcms/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/yiisoft/yii2","events":[{"introduced":"0"},{"fixed":"40b1ec3799d9bf9eff3d3cc83e6ac529f9f29805"},{"fixed":"40fe496eda529fd1d933b56a1022ec32d3cd0b12"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"2.0.52"}]}}],"versions":["2.0.0-alpha","2.0.0-beta","2.0.0-rc","2.0.10","2.0.11","2.0.11.1","2.0.11.2","2.0.12","2.0.13","2.0.13.1","2.0.14","2.0.14.1","2.0.14.2","2.0.16","2.0.16.1","2.0.17","2.0.18","2.0.19","2.0.2","2.0.20","2.0.21","2.0.22","2.0.23","2.0.24","2.0.25","2.0.26","2.0.27","2.0.28","2.0.29","2.0.3","2.0.30","2.0.31","2.0.32","2.0.33","2.0.34","2.0.35","2.0.36","2.0.37","2.0.38","2.0.39","2.0.39.1","2.0.39.2","2.0.39.3","2.0.4","2.0.40","2.0.41","2.0.41.1","2.0.42","2.0.42.1","2.0.43","2.0.44","2.0.45","2.0.46","2.0.47","2.0.48","2.0.48.1","2.0.49","2.0.49.1","2.0.49.2","2.0.50","2.0.51","2.0.6","2.0.7","2.0.8","2.0.9"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-58136.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}