Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-zh8w-4tuc-bbcr
Vulnerability ID VCID-zh8w-4tuc-bbcr
Aliases CVE-2023-29689
GHSA-w7vm-4v3j-vgpw
Summary PyroCMS 3.9 contains a remote code execution (RCE) vulnerability that can be exploited through a server-side template injection (SSTI) flaw. This vulnerability allows a malicious attacker to send customized commands to the server and execute arbitrary code on the affected system.
Status Published
Exploitability 2.0
Weighted Severity 9.0
Risk 10.0
Affected and Fixed Packages Package Details
Weaknesses (2)
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
cvssv3.1 9.8 http://packetstormsecurity.com/files/174088/Pyro-CMS-3.9-Server-Side-Template-Injection.html
generic_textual CRITICAL http://packetstormsecurity.com/files/174088/Pyro-CMS-3.9-Server-Side-Template-Injection.html
ssvc Track* http://packetstormsecurity.com/files/174088/Pyro-CMS-3.9-Server-Side-Template-Injection.html
epss 0.60821 https://api.first.org/data/v1/epss?cve=CVE-2023-29689
epss 0.60821 https://api.first.org/data/v1/epss?cve=CVE-2023-29689
epss 0.60821 https://api.first.org/data/v1/epss?cve=CVE-2023-29689
cvssv3.1 9.8 https://cupc4k3.lol/ssti-leads-to-rce-on-pyrocms-7515be27c811
generic_textual CRITICAL https://cupc4k3.lol/ssti-leads-to-rce-on-pyrocms-7515be27c811
ssvc Track* https://cupc4k3.lol/ssti-leads-to-rce-on-pyrocms-7515be27c811
cvssv3.1_qr CRITICAL https://github.com/advisories/GHSA-w7vm-4v3j-vgpw
cvssv3.1 9.8 https://github.com/pyrocms/pyrocms
generic_textual CRITICAL https://github.com/pyrocms/pyrocms
cvssv3.1 9.8 https://nvd.nist.gov/vuln/detail/CVE-2023-29689
generic_textual CRITICAL https://nvd.nist.gov/vuln/detail/CVE-2023-29689
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2023-29689
https://github.com/pyrocms/pyrocms
https://nvd.nist.gov/vuln/detail/CVE-2023-29689
CVE-2023-29689 Exploit https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/python/webapps/51669.txt
GHSA-w7vm-4v3j-vgpw https://github.com/advisories/GHSA-w7vm-4v3j-vgpw
Pyro-CMS-3.9-Server-Side-Template-Injection.html http://packetstormsecurity.com/files/174088/Pyro-CMS-3.9-Server-Side-Template-Injection.html
ssti-leads-to-rce-on-pyrocms-7515be27c811 https://cupc4k3.lol/ssti-leads-to-rce-on-pyrocms-7515be27c811
Data source Exploit-DB
Date added Aug. 8, 2023
Description Pyro CMS 3.9 - Server-Side Template Injection (SSTI) (Authenticated)
Ransomware campaign use Unknown
Source publication date Aug. 8, 2023
Exploit type webapps
Platform python
Source update date Aug. 8, 2023
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at http://packetstormsecurity.com/files/174088/Pyro-CMS-3.9-Server-Side-Template-Injection.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2024-10-17T15:41:09Z/ Found at http://packetstormsecurity.com/files/174088/Pyro-CMS-3.9-Server-Side-Template-Injection.html
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://cupc4k3.lol/ssti-leads-to-rce-on-pyrocms-7515be27c811
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2024-10-17T15:41:09Z/ Found at https://cupc4k3.lol/ssti-leads-to-rce-on-pyrocms-7515be27c811
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/pyrocms/pyrocms
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2023-29689
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.98329
EPSS Score 0.60821
Published At June 11, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-11T17:25:29.174725+00:00 Vulnrichment Import https://github.com/cisagov/vulnrichment/blob/develop/2023/29xxx/CVE-2023-29689.json 38.6.0