CVE-2025-57759 — Improper Privilege Management in Contao

CWE-269 — Improper Privilege Management4 documents4 sources

Severity

4.3MEDIUMNVD

EPSS

0.0%

top 88.57%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Contao Contao Core-bundle

Timeline

PublishedAug 28

Description

Contao is an Open Source CMS. In versions starting from 5.3.0 and prior to 5.3.38 and 5.6.1, under certain conditions, back end users may be able to edit fields of pages and articles without having the necessary permissions. This issue has been patched in versions 5.3.38 and 5.6.1. There are no workarounds.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages4 packages

▶NVDcontao/contao5.3.0 — 5.3.38+1

▶Packagistcontao/contao5.3.0 — 5.3.38+1

▶Packagistcontao/core-bundle5.3.0 — 5.3.38+1

▶CVEListV5contao/contao>= 5.3.0, < 5.3.38, >= 5.4.0-RC1, < 5.6.1+1

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

Contao does not properly manage privileges for page and article fields↗2025-08-28

▶

GHSA

Contao does not properly manage privileges for page and article fields↗2025-08-28

▶

CVEList

Contao has improper privilege management for page and article fields↗2025-08-28

▶