Contao Core-Bundle vulnerabilities

CVE-2025-65960 [MEDIUM] CWE-351 Contao is vulnerable to remote code execution in template closures Contao is vulnerable to remote code execution in template closures ### Impact Backend users with precise control over the contents of template closures can execute arbitrary PHP functions that do not have required parameters. ### Patches Update to Contao 4.13.57, 5.3.42 or 5.6.5 ### Workarounds Manually patch the `Contao\Template::once()` method. ### Resources https://contao.org/en/security

CVE-2025-65961 [LOW] CWE-79 Contao is vulnerable to cross-site scripting in templates Contao is vulnerable to cross-site scripting in templates ### Impact It is possible to inject code into the template output that will be executed in the browser in the front end and back end. ### Patches Update to Contao 4.13.57, 5.3.42 or 5.6.5. ### Workarounds Do not use the affected templates or patch them manually. ### Refsources https://contao.org/en/security-advisories/cross-site-scripting-in-temp

CVE-2025-57759 [MEDIUM] CWE-269 Contao does not properly manage privileges for page and article fields Contao does not properly manage privileges for page and article fields ### Impact Under certain conditions, back end users may be able to edit fields of pages and articles without having the necessary permissions. ### Patches Update to Contao 5.3.38 or 5.6.1. ### Workarounds None. ### For more information If you have any questions or comments about this advisory, open an issue in [conta

CVE-2025-57758 [MEDIUM] CWE-284 Contao applies improper access control in the back end voters Contao applies improper access control in the back end voters ### Impact The table access voter in the back end doesn't check if a user is allowed to access the corresponding module. ### Patches Update to Contao 5.3.38 or 5.6.1. ### Workarounds Do not rely solely on the voter and additionally check `USER_CAN_ACCESS_MODULE`. ### For more information If you have any questions or comments about thi

CVE-2025-57757 [MEDIUM] CWE-200 Contao can disclose sensitive information in the news module Contao can disclose sensitive information in the news module ### Impact If a news feed contains protected news archives, their news items are not filtered and become publicly available in the RSS feed. ### Patches Update to Contao 5.3.38 or 5.6.1. ### Workarounds Do not add protected news archives to the news feed page. ### For more information If you have any questions or comments about this adv

CVE-2025-57756 [MEDIUM] CWE-200 Contao discloses sensitive information in the front end search index Contao discloses sensitive information in the front end search index ### Impact Protected content elements that are rendered as fragments are indexed and become publicly available in the front end search. ### Patches Update to Contao 4.13.56, 5.3.38 or 5.6.1. ### Workarounds Disable the front end search. ### For more information If you have any questions or comments about this advisory, o

CVE-2025-29790 [MEDIUM] CWE-79 Contao Vulnerable to Cross-Site Scripting (XSS) through SVG uploads Contao Vulnerable to Cross-Site Scripting (XSS) through SVG uploads ### Impact Users can upload SVG files with malicious code, which is then executed in the back end and/or front end. ### Patches Update to Contao 4.13.54, 5.3.30 or 5.5.6. ### Workarounds Remove `svg,svgz` from the allowed upload file types in the system settings and from `contao.editable_files` in the `config.yaml`. ### Refe

CVE-2024-45398 [HIGH] CWE-434 Contao affected by remote command execution through file upload Contao affected by remote command execution through file upload ### Impact Back end users with access to the file manager can upload malicious files and execute them on the server. ### Patches Update to Contao 4.13.49, 5.3.15 or 5.4.3. ### Workarounds Configure your web server so it does not execute PHP files and other scripts in the Contao file upload directory. ### References https://contao.or

CVE-2024-45604 [MEDIUM] CWE-22 Contao affected by directory traversal in the file selector widget Contao affected by directory traversal in the file selector widget ### Impact Back end users can list files outside their file mounts or the document root in the FileSelector widget. ### Patches Update to Contao 4.13.49. ### Workarounds None. ### References https://contao.org/en/security-advisories/directory-traversal-in-the-fileselector-widget ### For more information If you have any ques

CVE-2024-45612 [MEDIUM] CWE-20 Contao affected by insert tag injection via canonical URL Contao affected by insert tag injection via canonical URL ### Impact It is possible to inject insert tags in canonical URLs which will be replaced when the page is rendered. ### Patches Update to Contao 4.13.49, 5.3.15 or 5.4.3. ### Workarounds Disable canonical tags in the settings of the website root page. ### References https://contao.org/en/security-advisories/insert-tag-injection-via-canonical-u

CVE-2024-28235 [HIGH] CWE-200 Contao: Possible cookie sharing with external domains while checking protected pages for broken links Contao: Possible cookie sharing with external domains while checking protected pages for broken links ### Impact If the crawler is set to crawl protected pages, it sends the cookie header to externals URLs. ### Patches Update to Contao 4.13.40 or 5.3.4. ### Workarounds Disable crawling protected pages. ### References https://contao.org/en/security-advisories

CVE-2024-30262 [MEDIUM] CWE-384 Contao: Remember-me tokens will not be cleared after a password change Contao: Remember-me tokens will not be cleared after a password change ### Impact When a front end member changes their password, the corresponding remember-me tokens are not removed. ### Patches Update to Contao 4.13.40. ### Workarounds Disable "Allow auto login" in the login module. ### References https://contao.org/en/security-advisories/remember-me-tokens-are-not-cleared-after-a-pas

CVE-2024-28190 [MEDIUM] CWE-79 Contao: Cross site scripting in the file manager Contao: Cross site scripting in the file manager ### Impact Users can insert malicious code into file names when uploading files, which is then executed in tooltips and popups in the backend. ### Patches Update to Contao 4.13.40 or Contao 5.3.4. ### Workarounds Disable uploads for untrusted users. ### References https://contao.org/en/security-advisories/cross-site-scripting-in-the-file-manager ### For more i

CVE-2024-28191 [LOW] CWE-74 Contao: Unencoded insert tags in the frontend Contao: Unencoded insert tags in the frontend ### Impact It is possible to inject insert tags via the form generator if the submitted form data is output on the page in a specific way. ### Patches Update to Contao 4.13.40 or 5.3.4. ### Workarounds Do not output the submitted form data on the website. ### References https://contao.org/en/security-advisories/insert-tag-injection-via-the-form-generator ### For more i

CVE-2023-36806 [MEDIUM] CWE-79 Cross site scripting via input unit widget Cross site scripting via input unit widget ### Impact Authenticated users can inject malicious code in widgets with units, which is then executed both in the element preview (back end) and on the website (front end). ### Patches Update to Contao 4.9.42, 4.13.28 or 5.1.10. ### Workarounds Disable login for all untrusted back end users. ### References https://contao.org/en/security-advisories/cross-site-scripting-in-

CVE-2019-11512 [CRITICAL] CWE-89 Contao SQL injection in the file manager Contao SQL injection in the file manager David Wind, penetration tester with A1 Digital, has discovered that the SQL injection vulnerability originally published under CVE-2017-16558 can still be exploited in the file manager in Contao 4.

CVE-2017-16558 [CRITICAL] CWE-89 Contao SQL injection in the backend and listing module Contao SQL injection in the backend and listing module Contao 3.0.0 to 3.5.30 and 4.0.0 to 4.4.7 contains an SQL injection vulnerability in the backend as well as in the listing module.

CVE-2022-24899 [HIGH] CWE-79 Cross site scripting via canonical tag in Contao Cross site scripting via canonical tag in Contao ### Impact Untrusted users can inject malicious code into the canonical tag, which is then executed on the web page (front end). ### Patches Update to Contao 4.13.3. ### Workarounds Disable canonical tags in the root page settings. ### References https://contao.org/en/security-advisories/cross-site-scripting-via-canonical-url ### For more information If you hav

CVE-2019-10641 [CRITICAL] CWE-640 Contao Does Not Invalidate Existing Sessions When Password Changes Contao Does Not Invalidate Existing Sessions When Password Changes Security researcher Ali Razzaq has discovered that existing sessions are not correctly invalidated when a user changes their password in the backend or frontend.

CVE-2019-10642 [HIGH] CWE-352 Contao CSRF Token Bypass Contao CSRF Token Bypass Security researcher Ali Razzaq has discovered that the request token check can be bypassed in Contao 4.7