PyroCMS
by PyroCMS
CVEs (4)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2023-29689 | Cri | 0.70 | 9.8 | 0.41 | Aug 4, 2023 | PyroCMS 3.9 contains a remote code execution (RCE) vulnerability that can be exploited through a server-side template injection (SSTI) flaw. This vulnerability allows a malicious attacker to send customized commands to the server and execute arbitrary code on the affected system. | ||
| CVE-2022-37721 | Cri | 0.59 | 9.0 | 0.01 | Nov 25, 2022 | PyroCMS 3.9 is vulnerable to a stored Cross Site Scripting (XSS_ when a low privileged user such as an author, injects a crafted html and javascript payload in a blog post, leading to full admin account takeover or privilege escalation. | ||
| CVE-2022-35118 | Med | 0.40 | 6.1 | 0.00 | Aug 1, 2022 | PyroCMS v3.9 was discovered to contain multiple cross-site scripting (XSS) vulnerabilities. | ||
| CVE-2024-58297 | 0.00 | — | 0.00 | Dec 11, 2025 | PyroCMS v3.0.1 contains a stored cross-site scripting vulnerability in the admin redirects configuration that allows attackers to inject malicious scripts. Attackers can insert a payload in the 'Redirect From' field to execute arbitrary JavaScript when administrators view the… |
- risk 0.70cvss 9.8epss 0.41
PyroCMS 3.9 contains a remote code execution (RCE) vulnerability that can be exploited through a server-side template injection (SSTI) flaw. This vulnerability allows a malicious attacker to send customized commands to the server and execute arbitrary code on the affected system.
- risk 0.59cvss 9.0epss 0.01
PyroCMS 3.9 is vulnerable to a stored Cross Site Scripting (XSS_ when a low privileged user such as an author, injects a crafted html and javascript payload in a blog post, leading to full admin account takeover or privilege escalation.
- risk 0.40cvss 6.1epss 0.00
PyroCMS v3.9 was discovered to contain multiple cross-site scripting (XSS) vulnerabilities.
- CVE-2024-58297Dec 11, 2025risk 0.00cvss —epss 0.00
PyroCMS v3.0.1 contains a stored cross-site scripting vulnerability in the admin redirects configuration that allows attackers to inject malicious scripts. Attackers can insert a payload in the 'Redirect From' field to execute arbitrary JavaScript when administrators view the…