pyrocms CVE Vulnerabilities & Metrics

Focus on pyrocms vulnerabilities and metrics.

Last updated: 15 Feb 2026, 23:25 UTC

About pyrocms Security Exposure

This page consolidates all known Common Vulnerabilities and Exposures (CVEs) associated with pyrocms. We track both calendar-based metrics (using fixed periods) and rolling metrics (using gliding windows) to give you a comprehensive view of security trends and risk evolution. Use these insights to assess risk and plan your patching strategy.

For a broader perspective on cybersecurity threats, explore the comprehensive list of CVEs by vendor and product. Stay updated on critical vulnerabilities affecting major software and hardware providers.

Global CVE Overview

Total pyrocms CVEs: 6
Earliest CVE date: 08 Oct 2020, 13:15 UTC
Latest CVE date: 11 Dec 2025, 22:15 UTC

Latest CVE reference: CVE-2024-58297

Rolling Stats

30-day Count (Rolling): 0
365-day Count (Rolling): 1

Calendar-based Variation

Calendar-based Variation compares a fixed calendar period (e.g., this month versus the same month last year), while Rolling Growth Rate uses a continuous window (e.g., last 30 days versus the previous 30 days) to capture trends independent of calendar boundaries.

Variations & Growth

Month Variation (Calendar): 0%
Year Variation (Calendar): 0%

Month Growth Rate (30-day Rolling): 0.0%
Year Growth Rate (365-day Rolling): 0.0%

Monthly CVE Trends (current vs previous Year)

Annual CVE Trends (Last 20 Years)

Critical pyrocms CVEs (CVSS ≥ 9) Over 20 Years

CVSS Stats

Average CVSS: 1.68

Max CVSS: 5.8

Critical CVEs (≥9): 0

CVSS Range vs. Count

Range	Count
0.0-3.9	4
4.0-6.9	2
7.0-8.9	0
9.0-10.0	0

CVSS Distribution Chart

Top 5 Highest CVSS pyrocms CVEs

These are the five CVEs with the highest CVSS scores for pyrocms, sorted by severity first and recency.

CVE-2020-25263 pyrocms Published on 08 Oct 2020, 13:15 UTC (CVSS: 5.8)
PyroCMS 3.7 is vulnerable to cross-site request forgery (CSRF) via the admin/addons/uninstall/anomaly.module.blocks URI: an arbitrary plugin will be deleted.
CVE-2020-25262 pyrocms Published on 08 Oct 2020, 13:15 UTC (CVSS: 4.3)
PyroCMS 3.7 is vulnerable to cross-site request forgery (CSRF) via the admin/pages/delete/ URI: pages will be deleted.
CVE-2024-58297 pyrocms Published on 11 Dec 2025, 22:15 UTC (CVSS: 0)
PyroCMS v3.0.1 contains a stored cross-site scripting vulnerability in the admin redirects configuration that allows attackers to inject malicious scripts. Attackers can insert a payload in the 'Redirect From' field to execute arbitrary JavaScript when administrators view the redirects page.
CVE-2023-29689 pyrocms Published on 04 Aug 2023, 15:15 UTC (CVSS: 0)
PyroCMS 3.9 contains a remote code execution (RCE) vulnerability that can be exploited through a server-side template injection (SSTI) flaw. This vulnerability allows a malicious attacker to send customized commands to the server and execute arbitrary code on the affected system.
CVE-2022-37721 pyrocms Published on 25 Nov 2022, 17:15 UTC (CVSS: 0)
PyroCMS 3.9 is vulnerable to a stored Cross Site Scripting (XSS_ when a low privileged user such as an author, injects a crafted html and javascript payload in a blog post, leading to full admin account takeover or privilege escalation.

All CVEs for pyrocms

CVE-2024-58297 pyrocms vulnerability CVSS: 0 11 Dec 2025, 22:15 UTC

PyroCMS v3.0.1 contains a stored cross-site scripting vulnerability in the admin redirects configuration that allows attackers to inject malicious scripts. Attackers can insert a payload in the 'Redirect From' field to execute arbitrary JavaScript when administrators view the redirects page.

CVE-2023-29689 pyrocms vulnerability CVSS: 0 04 Aug 2023, 15:15 UTC

PyroCMS 3.9 contains a remote code execution (RCE) vulnerability that can be exploited through a server-side template injection (SSTI) flaw. This vulnerability allows a malicious attacker to send customized commands to the server and execute arbitrary code on the affected system.

CVE-2022-37721 pyrocms vulnerability CVSS: 0 25 Nov 2022, 17:15 UTC

PyroCMS 3.9 is vulnerable to a stored Cross Site Scripting (XSS_ when a low privileged user such as an author, injects a crafted html and javascript payload in a blog post, leading to full admin account takeover or privilege escalation.

CVE-2022-35118 pyrocms vulnerability CVSS: 0 01 Aug 2022, 20:15 UTC

PyroCMS v3.9 was discovered to contain multiple cross-site scripting (XSS) vulnerabilities.

CVE-2020-25263 pyrocms vulnerability CVSS: 5.8 08 Oct 2020, 13:15 UTC

PyroCMS 3.7 is vulnerable to cross-site request forgery (CSRF) via the admin/addons/uninstall/anomaly.module.blocks URI: an arbitrary plugin will be deleted.

CVE-2020-25262 pyrocms vulnerability CVSS: 4.3 08 Oct 2020, 13:15 UTC

PyroCMS 3.7 is vulnerable to cross-site request forgery (CSRF) via the admin/pages/delete/ URI: pages will be deleted.