CVEReports
CVEReports

Automated vulnerability intelligence platform. Comprehensive reports for high-severity CVEs generated by AI.

Product

  • Home
  • Dashboard
  • Sitemap
  • RSS Feed

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CVEReports. All rights reserved.

Made with love by Amit Schendel & Alon Barad

CVE-2024-58136
9.078.44%

Double-Crossed by Magic: The Yii 2 Class Confusion RCE

Amit Schendel
Amit Schendel
Senior Security Researcher

Jan 7, 2026·7 min read·32 visits

Active ExploitationCISA KEV Listed

Executive Summary (TL;DR)

Yii 2 failed to validate the `__class` key when attaching behaviors to components. Attackers bypass security checks by providing a valid `class` to satisfy the validator, while sneaking in a malicious `__class` that the object factory prioritizes. This allows for arbitrary object instantiation (RCE), notably exploited in the wild against Craft CMS.

A critical remote code execution vulnerability in the Yii 2 framework caused by a logic disparity between input validation and object instantiation. By exploiting the precedence of the `__class` key over the validated `class` key, attackers can instantiate arbitrary PHP classes, leading to full system compromise.

Official Patches

Yii FrameworkOfficial patch commit

Fix Analysis (1)

Technical Appendix

CVSS Score
9.0/ 10
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Probability
78.44%
Top 1% most exploited
15,000
Estimated exposed hosts via Shodan

Affected Systems

Yii Framework 2 (< 2.0.52)Craft CMS (< 4.4.15)Applications using yiisoft/yii2

Affected Versions Detail

Product
Affected Versions
Fixed Version
Yii Framework
YiiSoftware
< 2.0.522.0.52
Craft CMS
Pixel & Tonic
< 4.4.154.4.15
AttributeDetail
Attack VectorNetwork (HTTP POST)
CVSS v3.19.0 (Critical)
CWECWE-424 (Improper Protection of Alternate Path)
EPSS Score78.44%
Exploit StatusActive Exploitation / Weaponized
GadgetsGuzzleHttp\Psr7\FnStream, yii\rbac\PhpManager

MITRE ATT&CK Mapping

T1190Exploit Public-Facing Application
Initial Access
T1203Exploitation for Client Execution
Execution
T1059.003Command and Scripting Interpreter: Windows Command Shell
Execution
CWE-424
Improper Protection of Alternate Path

The application does not verify that the execution flow takes the expected path, allowing an attacker to bypass authentication or validation checks.

Known Exploits & Detection

Nuclei TemplatesAutomated detection and exploitation template using GuzzleHttp gadget
GitHubVendor advisory describing the bypass
NucleiDetection Template Available

Vulnerability Timeline

Patch committed to Yii 2 repository
2024-05-18
CVE Published
2024-06-01
Added to CISA KEV Catalog due to Craft CMS exploitation
2025-04-01

References & Sources

  • [1]NVD Entry
  • [2]Yii 2 GitHub Repository
Related Vulnerabilities
CVE-2024-4990CVE-2025-32432

Attack Flow Diagram

Press enter or space to select a node. You can then use the arrow keys to move the node around. Press delete to remove it and escape to cancel.
Press enter or space to select an edge. You can then press delete to remove it or escape to cancel.