pivotx CVE Vulnerabilities & Metrics

Focus on pivotx vulnerabilities and metrics.

Last updated: 26 Nov 2025, 23:25 UTC

About pivotx Security Exposure

This page consolidates all known Common Vulnerabilities and Exposures (CVEs) associated with pivotx. We track both calendar-based metrics (using fixed periods) and rolling metrics (using gliding windows) to give you a comprehensive view of security trends and risk evolution. Use these insights to assess risk and plan your patching strategy.

For a broader perspective on cybersecurity threats, explore the comprehensive list of CVEs by vendor and product. Stay updated on critical vulnerabilities affecting major software and hardware providers.

Global CVE Overview

Total pivotx CVEs: 8
Earliest CVE date: 04 Feb 2011, 01:00 UTC
Latest CVE date: 22 Sep 2025, 19:15 UTC

Latest CVE reference: CVE-2025-52367

Rolling Stats

30-day Count (Rolling): 0
365-day Count (Rolling): 1

Calendar-based Variation

Calendar-based Variation compares a fixed calendar period (e.g., this month versus the same month last year), while Rolling Growth Rate uses a continuous window (e.g., last 30 days versus the previous 30 days) to capture trends independent of calendar boundaries.

Variations & Growth

Month Variation (Calendar): 0%
Year Variation (Calendar): 0%

Month Growth Rate (30-day Rolling): 0.0%
Year Growth Rate (365-day Rolling): 0.0%

Monthly CVE Trends (current vs previous Year)

Annual CVE Trends (Last 20 Years)

Critical pivotx CVEs (CVSS ≥ 9) Over 20 Years

CVSS Stats

Average CVSS: 5.24

Max CVSS: 7.5

Critical CVEs (≥9): 0

CVSS Range vs. Count

Range	Count
0.0-3.9	2
4.0-6.9	11
7.0-8.9	3
9.0-10.0	0

CVSS Distribution Chart

Top 5 Highest CVSS pivotx CVEs

These are the five CVEs with the highest CVSS scores for pivotx, sorted by severity first and recency.

CVE-2015-5457 pivotx Published on 08 Jul 2015, 15:59 UTC (CVSS: 7.5)
PivotX before 2.3.11 does not validate the new file extension when renaming a file with multiple extensions, which allows remote attackers to execute arbitrary code by uploading a crafted file, as demonstrated by a file named foo.php.php.
CVE-2014-0342 pivotx Published on 15 Apr 2014, 10:55 UTC (CVSS: 7.5)
Multiple unrestricted file upload vulnerabilities in fileupload.php in PivotX before 2.3.9 allow remote authenticated users to execute arbitrary PHP code by uploading a file with a (1) .php or (2) .php# extension, and then accessing it via unspecified vectors.
CVE-2011-1035 pivotx Published on 19 Feb 2011, 01:00 UTC (CVSS: 7.5)
The password reset in PivotX before 2.2.4 allows remote attackers to modify the passwords of arbitrary users via unspecified vectors.
CVE-2015-5458 pivotx Published on 08 Jul 2015, 15:59 UTC (CVSS: 6.8)
Session fixation vulnerability in fileupload.php in PivotX before 2.3.11 allows remote attackers to hijack web sessions via the sess parameter.
CVE-2017-14958 pivotx Published on 02 Oct 2017, 01:29 UTC (CVSS: 6.5)
lib.php in PivotX 2.3.11 does not properly block uploads of dangerous file types by admin users, which allows remote PHP code execution via an upload of a .php file.

All CVEs for pivotx

CVE-2025-52367 pivotx vulnerability CVSS: 0 22 Sep 2025, 19:15 UTC

Cross Site Scripting vulnerability in PivotX CMS v.3.0.0 RC 3 allows a remote attacker to execute arbitrary code via the subtitle field.

CVE-2017-14958 pivotx vulnerability CVSS: 6.5 02 Oct 2017, 01:29 UTC

lib.php in PivotX 2.3.11 does not properly block uploads of dangerous file types by admin users, which allows remote PHP code execution via an upload of a .php file.

CVE-2017-9332 pivotx vulnerability CVSS: 4.3 06 Jun 2017, 14:29 UTC

The smarty_self function in modules/module_smarty.php in PivotX 2.3.11 mishandles the URI, allowing XSS via vectors involving quotes in the self Smarty tag.

CVE-2017-8402 pivotx vulnerability CVSS: 6.5 31 May 2017, 04:29 UTC

PivotX 2.3.11 allows remote authenticated users to execute arbitrary PHP code via vectors involving an upload of a .htaccess file.

CVE-2017-7570 pivotx vulnerability CVSS: 6.5 07 Apr 2017, 04:59 UTC

PivotX 2.3.11 allows remote authenticated Advanced users to execute arbitrary PHP code by performing an upload with a safe file extension (such as .jpg) and then invoking the duplicate function to change to the .php extension.

CVE-2015-5458 pivotx vulnerability CVSS: 6.8 08 Jul 2015, 15:59 UTC

Session fixation vulnerability in fileupload.php in PivotX before 2.3.11 allows remote attackers to hijack web sessions via the sess parameter.

CVE-2015-5457 pivotx vulnerability CVSS: 7.5 08 Jul 2015, 15:59 UTC

PivotX before 2.3.11 does not validate the new file extension when renaming a file with multiple extensions, which allows remote attackers to execute arbitrary code by uploading a crafted file, as demonstrated by a file named foo.php.php.

CVE-2015-5456 pivotx vulnerability CVSS: 4.3 08 Jul 2015, 15:59 UTC

Cross-site scripting (XSS) vulnerability in the form method in modules/formclass.php in PivotX before 2.3.11 allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO, related to the "PHP_SELF" variable and form actions.

CVE-2014-0342 pivotx vulnerability CVSS: 7.5 15 Apr 2014, 10:55 UTC

Multiple unrestricted file upload vulnerabilities in fileupload.php in PivotX before 2.3.9 allow remote authenticated users to execute arbitrary PHP code by uploading a file with a (1) .php or (2) .php# extension, and then accessing it via unspecified vectors.

CVE-2014-0341 pivotx vulnerability CVSS: 3.5 15 Apr 2014, 10:55 UTC

Multiple cross-site scripting (XSS) vulnerabilities in PivotX before 2.3.9 allow remote authenticated users to inject arbitrary web script or HTML via the title field to (1) templates_internal/pages.tpl, (2) templates_internal/home.tpl, or (3) templates_internal/entries.tpl; (4) an event field to objects.php; or the (5) email or (6) nickname field to pages.php, related to templates_internal/users.tpl.

CVE-2012-2274 pivotx vulnerability CVSS: 4.3 13 Aug 2012, 23:55 UTC

Cross-site scripting (XSS) vulnerability in pivotx/ajaxhelper.php in PivotX 2.3.2 and earlier allows remote attackers to inject arbitrary web script or HTML via the file parameter.

CVE-2011-1035 pivotx vulnerability CVSS: 7.5 19 Feb 2011, 01:00 UTC

The password reset in PivotX before 2.2.4 allows remote attackers to modify the passwords of arbitrary users via unspecified vectors.

CVE-2011-0775 pivotx vulnerability CVSS: 5.0 04 Feb 2011, 01:00 UTC

pivotx/modules/module_image.php in PivotX 2.2.2 allows remote attackers to obtain sensitive information via a non-existent file in the image parameter, which reveals the installation path in an error message. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.

CVE-2011-0774 pivotx vulnerability CVSS: 5.0 04 Feb 2011, 01:00 UTC

PivotX before 2.2.2 allows remote attackers to obtain sensitive information via a direct request to (1) includes/ping.php and (2) includes/spamping.php, which reveals the installation path in an error message.

CVE-2011-0773 pivotx vulnerability CVSS: 4.3 04 Feb 2011, 01:00 UTC

Cross-site scripting (XSS) vulnerability in pivotx/modules/module_image.php in PivotX before 2.2.3 allows remote attackers to inject arbitrary web script or HTML via the image parameter.

CVE-2011-0772 pivotx vulnerability CVSS: 4.3 04 Feb 2011, 01:00 UTC

Multiple cross-site scripting (XSS) vulnerabilities in PivotX 2.2.0, and possibly other versions before 2.2.2, allow remote attackers to inject arbitrary web script or HTML via the (1) color parameter to includes/blogroll.php or (2) src parameter to includes/timwrapper.php.