CVE-2024-58297 MEDIUM

CVE-2024-58297: PyroCMS v3.0.1 Stored Cross-Site Scripting via Admin Redirects

Vendor Pyrocms

Product PyroCMS

Weakness CWE-79 · XSS

Published December 11, 2025

Last update March 5, 2026

View on NVD All CVEs

CVSS base score

5.3/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction —

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

What the vulnerability does

01Description

PyroCMS v3.0.1 contains a stored cross-site scripting vulnerability in the admin redirects configuration that allows attackers to inject malicious scripts. Attackers can insert a payload in the 'Redirect From' field to execute arbitrary JavaScript when administrators view the redirects page.

Key dates

02Disclosure timeline

December 11, 2025 CVE published

March 5, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2024-58297

Related vulnerabilities

04Related CVE

CVE-2023-40664 WordPress Donations Made Easy – Smart Donations Plugin <= 4.0.12 is vulnerable to Cross Site Scripting (XSS) CVE-2022-2100 Page Generator Plugin < 1.6.5 - Admin+ Stored Cross-Site Scripting CVE-2025-60124 WordPress Simple Colorbox Plugin <= 1.6.1 - Cross Site Scripting (XSS) Vulnerability CVE-2025-62761 WordPress Knowledge Base documentation & wiki plugin – BasePress plugin <= 2.17.0.1 - Cross Site Scripting (XSS) vulnerability CVE-2024-38038 BUG-000165732 - Reflected XSS in Portal for ArcGIS