Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:composer/contao/core-bundle@4.2.0
Typecomposer
Namespacecontao
Namecore-bundle
Version4.2.0
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version4.13.57
Latest_non_vulnerable_version5.6.5
Affected_by_vulnerabilities
0
url VCID-2w7m-mb7e-tqe6
vulnerability_id VCID-2w7m-mb7e-tqe6
summary 
Contao Vulnerable to Cross-Site Scripting (XSS) through SVG uploads
Users can upload SVG files with malicious code, which is then executed in the back end and/or front end.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-29790
reference_id
reference_type
scores
0
value 0.00533
scoring_system epss
scoring_elements 0.67769
published_at 2026-06-07T12:55:00Z
1
value 0.00533
scoring_system epss
scoring_elements 0.67779
published_at 2026-06-06T12:55:00Z
2
value 0.00533
scoring_system epss
scoring_elements 0.67772
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-29790
1
reference_url https://contao.org/en/security-advisories/cross-site-scripting-through-svg-uploads
reference_id
reference_type
scores
0
value 4.8
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-18T18:48:29Z/
url https://contao.org/en/security-advisories/cross-site-scripting-through-svg-uploads
2
reference_url https://github.com/contao/contao
reference_id
reference_type
scores
0
value 4.8
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/contao/contao
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-29790
reference_id CVE-2025-29790
reference_type
scores
0
value 4.8
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-29790
4
reference_url https://github.com/advisories/GHSA-vqqr-fgmh-f626
reference_id GHSA-vqqr-fgmh-f626
reference_type
scores
url https://github.com/advisories/GHSA-vqqr-fgmh-f626
5
reference_url https://github.com/contao/contao/security/advisories/GHSA-vqqr-fgmh-f626
reference_id GHSA-vqqr-fgmh-f626
reference_type
scores
0
value 4.8
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-18T18:48:29Z/
url https://github.com/contao/contao/security/advisories/GHSA-vqqr-fgmh-f626
fixed_packages
0
url pkg:composer/contao/core-bundle@4.13.54
purl pkg:composer/contao/core-bundle@4.13.54
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-f1az-1ejn-53f7
1
vulnerability VCID-r1h5-ag74-dbaw
2
vulnerability VCID-wyd5-t8at-8bba
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/contao/core-bundle@4.13.54
1
url pkg:composer/contao/core-bundle@5.0.0-RC1
purl pkg:composer/contao/core-bundle@5.0.0-RC1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-afma-748j-uqae
1
vulnerability VCID-f1az-1ejn-53f7
2
vulnerability VCID-gzzh-6ysu-9yey
3
vulnerability VCID-jbcs-b2p9-myhz
4
vulnerability VCID-jzx2-et8q-7qhm
5
vulnerability VCID-r1h5-ag74-dbaw
6
vulnerability VCID-wyd5-t8at-8bba
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/contao/core-bundle@5.0.0-RC1
2
url pkg:composer/contao/core-bundle@5.3.30
purl pkg:composer/contao/core-bundle@5.3.30
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-afma-748j-uqae
1
vulnerability VCID-f1az-1ejn-53f7
2
vulnerability VCID-p4tq-y4en-57ag
3
vulnerability VCID-r1h5-ag74-dbaw
4
vulnerability VCID-wyd5-t8at-8bba
5
vulnerability VCID-ycnh-mnst-duap
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/contao/core-bundle@5.3.30
3
url pkg:composer/contao/core-bundle@5.4.0-RC1
purl pkg:composer/contao/core-bundle@5.4.0-RC1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-afma-748j-uqae
1
vulnerability VCID-f1az-1ejn-53f7
2
vulnerability VCID-p4tq-y4en-57ag
3
vulnerability VCID-r1h5-ag74-dbaw
4
vulnerability VCID-wyd5-t8at-8bba
5
vulnerability VCID-ycnh-mnst-duap
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/contao/core-bundle@5.4.0-RC1
4
url pkg:composer/contao/core-bundle@5.5.6
purl pkg:composer/contao/core-bundle@5.5.6
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-afma-748j-uqae
1
vulnerability VCID-f1az-1ejn-53f7
2
vulnerability VCID-p4tq-y4en-57ag
3
vulnerability VCID-r1h5-ag74-dbaw
4
vulnerability VCID-wyd5-t8at-8bba
5
vulnerability VCID-ycnh-mnst-duap
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/contao/core-bundle@5.5.6
aliases CVE-2025-29790, GHSA-vqqr-fgmh-f626
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-2w7m-mb7e-tqe6
1
url VCID-3fux-z15d-13g1
vulnerability_id VCID-3fux-z15d-13g1
summary Contao allows SQL Injection.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2019-11512
reference_id
reference_type
scores
0
value 0.00307
scoring_system epss
scoring_elements 0.54265
published_at 2026-06-06T12:55:00Z
1
value 0.00307
scoring_system epss
scoring_elements 0.54232
published_at 2026-06-08T12:55:00Z
2
value 0.00307
scoring_system epss
scoring_elements 0.54255
published_at 2026-06-07T12:55:00Z
3
value 0.00307
scoring_system epss
scoring_elements 0.542
published_at 2026-06-04T12:55:00Z
4
value 0.00307
scoring_system epss
scoring_elements 0.54257
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2019-11512
1
reference_url https://contao.org/en/news/security-vulnerability-cve-2019-11512.html
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://contao.org/en/news/security-vulnerability-cve-2019-11512.html
2
reference_url https://github.com/contao/contao/commit/87d92f823b08b91a0aeb522284537c8afcdb8aba
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/contao/contao/commit/87d92f823b08b91a0aeb522284537c8afcdb8aba
3
reference_url https://github.com/FriendsOfPHP/security-advisories/blob/master/contao/contao/CVE-2019-11512.yaml
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/FriendsOfPHP/security-advisories/blob/master/contao/contao/CVE-2019-11512.yaml
4
reference_url https://github.com/FriendsOfPHP/security-advisories/blob/master/contao/core-bundle/CVE-2019-11512.yaml
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/FriendsOfPHP/security-advisories/blob/master/contao/core-bundle/CVE-2019-11512.yaml
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2019-11512
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2019-11512
6
reference_url https://github.com/advisories/GHSA-vq59-x6mq-4wgw
reference_id GHSA-vq59-x6mq-4wgw
reference_type
scores
0
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-vq59-x6mq-4wgw
fixed_packages
0
url pkg:composer/contao/core-bundle@4.4.39
purl pkg:composer/contao/core-bundle@4.4.39
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2w7m-mb7e-tqe6
1
vulnerability VCID-82d1-8yn8-sydv
2
vulnerability VCID-98fv-kpqs-mybc
3
vulnerability VCID-ah8s-8q49-8qbw
4
vulnerability VCID-f8ny-db5g-pkhw
5
vulnerability VCID-h8k9-qw2h-zyd2
6
vulnerability VCID-jbcs-b2p9-myhz
7
vulnerability VCID-jzx2-et8q-7qhm
8
vulnerability VCID-mt93-hcnp-13ah
9
vulnerability VCID-n4wc-kknf-hffb
10
vulnerability VCID-nepv-9985-37g4
11
vulnerability VCID-qvqr-t2ka-zybq
12
vulnerability VCID-r1h5-ag74-dbaw
13
vulnerability VCID-rj3d-jeyz-vye5
14
vulnerability VCID-t2u3-tgg3-cbb9
15
vulnerability VCID-u6sk-25yd-e7b2
16
vulnerability VCID-wyd5-t8at-8bba
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/contao/core-bundle@4.4.39
1
url pkg:composer/contao/core-bundle@4.7.5
purl pkg:composer/contao/core-bundle@4.7.5
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2w7m-mb7e-tqe6
1
vulnerability VCID-82d1-8yn8-sydv
2
vulnerability VCID-98fv-kpqs-mybc
3
vulnerability VCID-ah8s-8q49-8qbw
4
vulnerability VCID-azpb-eq6c-e7bw
5
vulnerability VCID-f8ny-db5g-pkhw
6
vulnerability VCID-h8k9-qw2h-zyd2
7
vulnerability VCID-jbcs-b2p9-myhz
8
vulnerability VCID-jzx2-et8q-7qhm
9
vulnerability VCID-mt93-hcnp-13ah
10
vulnerability VCID-n4wc-kknf-hffb
11
vulnerability VCID-nepv-9985-37g4
12
vulnerability VCID-qvqr-t2ka-zybq
13
vulnerability VCID-r1h5-ag74-dbaw
14
vulnerability VCID-rj3d-jeyz-vye5
15
vulnerability VCID-t2u3-tgg3-cbb9
16
vulnerability VCID-wyd5-t8at-8bba
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/contao/core-bundle@4.7.5
aliases CVE-2019-11512, GHSA-vq59-x6mq-4wgw
risk_score 4.5
exploitability 0.5
weighted_severity 9.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-3fux-z15d-13g1
2
url VCID-5kwa-7kx3-kfga
vulnerability_id VCID-5kwa-7kx3-kfga
summary 
Weak Password Recovery Mechanism for Forgotten Password
Contao has a Weak Password Recovery Mechanism for a Forgotten Password.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2019-10641
reference_id
reference_type
scores
0
value 0.00266
scoring_system epss
scoring_elements 0.50287
published_at 2026-06-04T12:55:00Z
1
value 0.00266
scoring_system epss
scoring_elements 0.50309
published_at 2026-06-08T12:55:00Z
2
value 0.00266
scoring_system epss
scoring_elements 0.50337
published_at 2026-06-07T12:55:00Z
3
value 0.00266
scoring_system epss
scoring_elements 0.50356
published_at 2026-06-06T12:55:00Z
4
value 0.00266
scoring_system epss
scoring_elements 0.50348
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2019-10641
1
reference_url https://contao.org/en/news/security-vulnerability-cve-2019-10641.html
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://contao.org/en/news/security-vulnerability-cve-2019-10641.html
2
reference_url https://github.com/contao/contao/commit/74c7dfafa0dfa5363a9463b486522d5d526e28fe
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/contao/contao/commit/74c7dfafa0dfa5363a9463b486522d5d526e28fe
3
reference_url https://github.com/contao/contao/commit/b92e27bc7c9e59226077937f840c74ffd0f672e8
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/contao/contao/commit/b92e27bc7c9e59226077937f840c74ffd0f672e8
4
reference_url https://github.com/contao/core/commit/119a1b5bd9e62d27ca2838727084d04f3b7fcd32
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/contao/core/commit/119a1b5bd9e62d27ca2838727084d04f3b7fcd32
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2019-10641
reference_id CVE-2019-10641
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2019-10641
6
reference_url https://github.com/FriendsOfPHP/security-advisories/blob/master/contao/contao/CVE-2019-10641.yaml
reference_id CVE-2019-10641.YAML
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/FriendsOfPHP/security-advisories/blob/master/contao/contao/CVE-2019-10641.yaml
7
reference_url https://github.com/FriendsOfPHP/security-advisories/blob/master/contao/core-bundle/CVE-2019-10641.yaml
reference_id CVE-2019-10641.YAML
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/FriendsOfPHP/security-advisories/blob/master/contao/core-bundle/CVE-2019-10641.yaml
8
reference_url https://github.com/FriendsOfPHP/security-advisories/blob/master/contao/core/CVE-2019-10641.yaml
reference_id CVE-2019-10641.YAML
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/FriendsOfPHP/security-advisories/blob/master/contao/core/CVE-2019-10641.yaml
9
reference_url https://github.com/advisories/GHSA-vcgg-hp4r-87gx
reference_id GHSA-vcgg-hp4r-87gx
reference_type
scores
0
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-vcgg-hp4r-87gx
fixed_packages
0
url pkg:composer/contao/core-bundle@4.4.37
purl pkg:composer/contao/core-bundle@4.4.37
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2w7m-mb7e-tqe6
1
vulnerability VCID-3fux-z15d-13g1
2
vulnerability VCID-82d1-8yn8-sydv
3
vulnerability VCID-98fv-kpqs-mybc
4
vulnerability VCID-ah8s-8q49-8qbw
5
vulnerability VCID-f8ny-db5g-pkhw
6
vulnerability VCID-h8k9-qw2h-zyd2
7
vulnerability VCID-jbcs-b2p9-myhz
8
vulnerability VCID-jzx2-et8q-7qhm
9
vulnerability VCID-mt93-hcnp-13ah
10
vulnerability VCID-n4wc-kknf-hffb
11
vulnerability VCID-nepv-9985-37g4
12
vulnerability VCID-qvqr-t2ka-zybq
13
vulnerability VCID-r1h5-ag74-dbaw
14
vulnerability VCID-rj3d-jeyz-vye5
15
vulnerability VCID-t2u3-tgg3-cbb9
16
vulnerability VCID-u6sk-25yd-e7b2
17
vulnerability VCID-wyd5-t8at-8bba
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/contao/core-bundle@4.4.37
1
url pkg:composer/contao/core-bundle@4.7.3
purl pkg:composer/contao/core-bundle@4.7.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2w7m-mb7e-tqe6
1
vulnerability VCID-3fux-z15d-13g1
2
vulnerability VCID-82d1-8yn8-sydv
3
vulnerability VCID-98fv-kpqs-mybc
4
vulnerability VCID-ah8s-8q49-8qbw
5
vulnerability VCID-azpb-eq6c-e7bw
6
vulnerability VCID-f8ny-db5g-pkhw
7
vulnerability VCID-h8k9-qw2h-zyd2
8
vulnerability VCID-jbcs-b2p9-myhz
9
vulnerability VCID-jzx2-et8q-7qhm
10
vulnerability VCID-mt93-hcnp-13ah
11
vulnerability VCID-n4wc-kknf-hffb
12
vulnerability VCID-nepv-9985-37g4
13
vulnerability VCID-qvqr-t2ka-zybq
14
vulnerability VCID-r1h5-ag74-dbaw
15
vulnerability VCID-rj3d-jeyz-vye5
16
vulnerability VCID-t2u3-tgg3-cbb9
17
vulnerability VCID-wyd5-t8at-8bba
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/contao/core-bundle@4.7.3
aliases CVE-2019-10641, GHSA-vcgg-hp4r-87gx
risk_score 4.5
exploitability 0.5
weighted_severity 9.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-5kwa-7kx3-kfga
3
url VCID-6um8-6hqz-uybm
vulnerability_id VCID-6um8-6hqz-uybm
summary 
SQL injection vulnerability
Both the search filter in the back end and the "listing" module in the front end are vulnerable to SQL injection. To exploit the vulnerability in the back end, a back end user has to be logged in, whereas the front end vulnerability can be exploited by anyone.
references
0
reference_url http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16558
reference_id
reference_type
scores
url http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16558
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2017-16558
reference_id
reference_type
scores
0
value 0.00288
scoring_system epss
scoring_elements 0.52496
published_at 2026-06-08T12:55:00Z
1
value 0.00288
scoring_system epss
scoring_elements 0.52535
published_at 2026-06-05T12:55:00Z
2
value 0.00288
scoring_system epss
scoring_elements 0.52543
published_at 2026-06-06T12:55:00Z
3
value 0.00288
scoring_system epss
scoring_elements 0.52524
published_at 2026-06-07T12:55:00Z
4
value 0.00288
scoring_system epss
scoring_elements 0.52475
published_at 2026-06-04T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2017-16558
2
reference_url https://contao.org/de/changelog/versions/4.4.html
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://contao.org/de/changelog/versions/4.4.html
3
reference_url https://contao.org/en/news/contao-4_4_8.html
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://contao.org/en/news/contao-4_4_8.html
4
reference_url https://github.com/contao/contao/blob/4.4.57/CHANGELOG.md#448-2017-11-15
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/contao/contao/blob/4.4.57/CHANGELOG.md#448-2017-11-15
5
reference_url https://github.com/contao/contao/commit/501cb3cd34d61089b94e7ed78da53977bc71fc3e
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/contao/contao/commit/501cb3cd34d61089b94e7ed78da53977bc71fc3e
6
reference_url https://github.com/contao/contao/commit/6b4a2711edf166c85cfd7a53fed6aea56d4f0544
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/contao/contao/commit/6b4a2711edf166c85cfd7a53fed6aea56d4f0544
7
reference_url https://github.com/contao/core-bundle/commit/92598f97b513e0b831dbfd68d471c44c79c425a4
reference_id
reference_type
scores
url https://github.com/contao/core-bundle/commit/92598f97b513e0b831dbfd68d471c44c79c425a4
8
reference_url https://github.com/FriendsOfPHP/security-advisories/blob/master/contao/contao/CVE-2017-16558.yaml
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/FriendsOfPHP/security-advisories/blob/master/contao/contao/CVE-2017-16558.yaml
9
reference_url https://github.com/FriendsOfPHP/security-advisories/blob/master/contao/core-bundle/CVE-2017-16558.yaml
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/FriendsOfPHP/security-advisories/blob/master/contao/core-bundle/CVE-2017-16558.yaml
10
reference_url https://github.com/FriendsOfPHP/security-advisories/blob/master/contao/listing-bundle/CVE-2017-16558.yaml
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/FriendsOfPHP/security-advisories/blob/master/contao/listing-bundle/CVE-2017-16558.yaml
11
reference_url https://nvd.nist.gov/vuln/detail/CVE-2017-16558
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2017-16558
12
reference_url https://github.com/advisories/GHSA-w38g-hj45-mjjp
reference_id GHSA-w38g-hj45-mjjp
reference_type
scores
0
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-w38g-hj45-mjjp
fixed_packages
0
url pkg:composer/contao/core-bundle@4.4.8
purl pkg:composer/contao/core-bundle@4.4.8
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2w7m-mb7e-tqe6
1
vulnerability VCID-3fux-z15d-13g1
2
vulnerability VCID-4rrm-u81m-7kdt
3
vulnerability VCID-5kwa-7kx3-kfga
4
vulnerability VCID-82d1-8yn8-sydv
5
vulnerability VCID-98fv-kpqs-mybc
6
vulnerability VCID-ah8s-8q49-8qbw
7
vulnerability VCID-epmj-qf23-xffd
8
vulnerability VCID-f8ny-db5g-pkhw
9
vulnerability VCID-h8k9-qw2h-zyd2
10
vulnerability VCID-jbcs-b2p9-myhz
11
vulnerability VCID-jzx2-et8q-7qhm
12
vulnerability VCID-mt93-hcnp-13ah
13
vulnerability VCID-n4wc-kknf-hffb
14
vulnerability VCID-nepv-9985-37g4
15
vulnerability VCID-qvqr-t2ka-zybq
16
vulnerability VCID-r1h5-ag74-dbaw
17
vulnerability VCID-rj3d-jeyz-vye5
18
vulnerability VCID-t2u3-tgg3-cbb9
19
vulnerability VCID-u6sk-25yd-e7b2
20
vulnerability VCID-wyd5-t8at-8bba
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/contao/core-bundle@4.4.8
1
url pkg:composer/contao/core-bundle@4.5.0-beta2
purl pkg:composer/contao/core-bundle@4.5.0-beta2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2w7m-mb7e-tqe6
1
vulnerability VCID-f8ny-db5g-pkhw
2
vulnerability VCID-h8k9-qw2h-zyd2
3
vulnerability VCID-jbcs-b2p9-myhz
4
vulnerability VCID-jzx2-et8q-7qhm
5
vulnerability VCID-mt93-hcnp-13ah
6
vulnerability VCID-n4wc-kknf-hffb
7
vulnerability VCID-nepv-9985-37g4
8
vulnerability VCID-qvqr-t2ka-zybq
9
vulnerability VCID-r1h5-ag74-dbaw
10
vulnerability VCID-wyd5-t8at-8bba
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/contao/core-bundle@4.5.0-beta2
aliases CVE-2017-16558, GHSA-w38g-hj45-mjjp
risk_score 4.5
exploitability 0.5
weighted_severity 9.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-6um8-6hqz-uybm
4
url VCID-82d1-8yn8-sydv
vulnerability_id VCID-82d1-8yn8-sydv
summary 
Cross site scripting via HTML attributes in the back end
It is possible for untrusted users to inject malicious code into HTML attributes in the back end, which will be executed both in the element preview (back end) and on the website (front end).

Installations are only affected if there are untrusted back end users who have the rights to modify HTML fields (e.g. TinyMCE).
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2021-35955
reference_id
reference_type
scores
0
value 0.00364
scoring_system epss
scoring_elements 0.5877
published_at 2026-06-05T12:55:00Z
1
value 0.00364
scoring_system epss
scoring_elements 0.58752
published_at 2026-06-08T12:55:00Z
2
value 0.00364
scoring_system epss
scoring_elements 0.58767
published_at 2026-06-07T12:55:00Z
3
value 0.00364
scoring_system epss
scoring_elements 0.58724
published_at 2026-06-04T12:55:00Z
4
value 0.00364
scoring_system epss
scoring_elements 0.58775
published_at 2026-06-06T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2021-35955
1
reference_url https://contao.org/en/news/contao-4-9-16-and-4-11-5-are-available.html
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://contao.org/en/news/contao-4-9-16-and-4-11-5-are-available.html
2
reference_url https://contao.org/en/security-advisories/cross-site-scripting-via-html-attributes-in-the-back-end.html
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://contao.org/en/security-advisories/cross-site-scripting-via-html-attributes-in-the-back-end.html
3
reference_url https://github.com/contao/contao
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/contao/contao
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2021-35955
reference_id CVE-2021-35955
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2021-35955
5
reference_url https://github.com/FriendsOfPHP/security-advisories/blob/master/contao/contao/CVE-2021-35955.yaml
reference_id CVE-2021-35955.YAML
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/FriendsOfPHP/security-advisories/blob/master/contao/contao/CVE-2021-35955.yaml
6
reference_url https://github.com/FriendsOfPHP/security-advisories/blob/master/contao/core-bundle/CVE-2021-35955.yaml
reference_id CVE-2021-35955.YAML
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/FriendsOfPHP/security-advisories/blob/master/contao/core-bundle/CVE-2021-35955.yaml
7
reference_url https://github.com/advisories/GHSA-hr3h-x6gq-rqcp
reference_id GHSA-hr3h-x6gq-rqcp
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-hr3h-x6gq-rqcp
8
reference_url https://github.com/contao/contao/security/advisories/GHSA-hr3h-x6gq-rqcp
reference_id GHSA-hr3h-x6gq-rqcp
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/contao/contao/security/advisories/GHSA-hr3h-x6gq-rqcp
fixed_packages
0
url pkg:composer/contao/core-bundle@4.4.56
purl pkg:composer/contao/core-bundle@4.4.56
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2w7m-mb7e-tqe6
1
vulnerability VCID-f8ny-db5g-pkhw
2
vulnerability VCID-h8k9-qw2h-zyd2
3
vulnerability VCID-jbcs-b2p9-myhz
4
vulnerability VCID-jzx2-et8q-7qhm
5
vulnerability VCID-mt93-hcnp-13ah
6
vulnerability VCID-n4wc-kknf-hffb
7
vulnerability VCID-nepv-9985-37g4
8
vulnerability VCID-qvqr-t2ka-zybq
9
vulnerability VCID-r1h5-ag74-dbaw
10
vulnerability VCID-rj3d-jeyz-vye5
11
vulnerability VCID-t2u3-tgg3-cbb9
12
vulnerability VCID-wyd5-t8at-8bba
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/contao/core-bundle@4.4.56
1
url pkg:composer/contao/core-bundle@4.9.18
purl pkg:composer/contao/core-bundle@4.9.18
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2w7m-mb7e-tqe6
1
vulnerability VCID-f1az-1ejn-53f7
2
vulnerability VCID-f8ny-db5g-pkhw
3
vulnerability VCID-gzzh-6ysu-9yey
4
vulnerability VCID-h8k9-qw2h-zyd2
5
vulnerability VCID-jbcs-b2p9-myhz
6
vulnerability VCID-jzx2-et8q-7qhm
7
vulnerability VCID-mt93-hcnp-13ah
8
vulnerability VCID-n4wc-kknf-hffb
9
vulnerability VCID-nepv-9985-37g4
10
vulnerability VCID-qvqr-t2ka-zybq
11
vulnerability VCID-r1h5-ag74-dbaw
12
vulnerability VCID-rj3d-jeyz-vye5
13
vulnerability VCID-t2u3-tgg3-cbb9
14
vulnerability VCID-wyd5-t8at-8bba
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/contao/core-bundle@4.9.18
2
url pkg:composer/contao/core-bundle@4.11.7
purl pkg:composer/contao/core-bundle@4.11.7
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2w7m-mb7e-tqe6
1
vulnerability VCID-f1az-1ejn-53f7
2
vulnerability VCID-f8ny-db5g-pkhw
3
vulnerability VCID-gzzh-6ysu-9yey
4
vulnerability VCID-h8k9-qw2h-zyd2
5
vulnerability VCID-jbcs-b2p9-myhz
6
vulnerability VCID-jzx2-et8q-7qhm
7
vulnerability VCID-mt93-hcnp-13ah
8
vulnerability VCID-n4wc-kknf-hffb
9
vulnerability VCID-nepv-9985-37g4
10
vulnerability VCID-qvqr-t2ka-zybq
11
vulnerability VCID-r1h5-ag74-dbaw
12
vulnerability VCID-rj3d-jeyz-vye5
13
vulnerability VCID-t2u3-tgg3-cbb9
14
vulnerability VCID-wyd5-t8at-8bba
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/contao/core-bundle@4.11.7
aliases CVE-2021-35955, GHSA-hr3h-x6gq-rqcp
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-82d1-8yn8-sydv
5
url VCID-98fv-kpqs-mybc
vulnerability_id VCID-98fv-kpqs-mybc
summary 
Unrestricted Upload of File with Dangerous Type
Contao allows PHP local file inclusion. A back end user with access to the form generator can upload arbitrary files and execute them on the server.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2019-19745
reference_id
reference_type
scores
0
value 0.00452
scoring_system epss
scoring_elements 0.64064
published_at 2026-06-04T12:55:00Z
1
value 0.00452
scoring_system epss
scoring_elements 0.64093
published_at 2026-06-08T12:55:00Z
2
value 0.00452
scoring_system epss
scoring_elements 0.64105
published_at 2026-06-07T12:55:00Z
3
value 0.00452
scoring_system epss
scoring_elements 0.64116
published_at 2026-06-06T12:55:00Z
4
value 0.00452
scoring_system epss
scoring_elements 0.64107
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2019-19745
1
reference_url https://contao.org/en/news.html
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://contao.org/en/news.html
2
reference_url https://contao.org/en/security-advisories/unrestricted-file-uploads.html
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://contao.org/en/security-advisories/unrestricted-file-uploads.html
3
reference_url https://github.com/contao/contao
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/contao/contao
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2019-19745
reference_id CVE-2019-19745
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2019-19745
5
reference_url https://github.com/FriendsOfPHP/security-advisories/blob/master/contao/contao/CVE-2019-19745.yaml
reference_id CVE-2019-19745.YAML
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/FriendsOfPHP/security-advisories/blob/master/contao/contao/CVE-2019-19745.yaml
6
reference_url https://github.com/FriendsOfPHP/security-advisories/blob/master/contao/core-bundle/CVE-2019-19745.yaml
reference_id CVE-2019-19745.YAML
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/FriendsOfPHP/security-advisories/blob/master/contao/core-bundle/CVE-2019-19745.yaml
7
reference_url https://github.com/advisories/GHSA-wjx8-cgrm-hh8p
reference_id GHSA-wjx8-cgrm-hh8p
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-wjx8-cgrm-hh8p
8
reference_url https://github.com/contao/contao/security/advisories/GHSA-wjx8-cgrm-hh8p
reference_id GHSA-wjx8-cgrm-hh8p
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/contao/contao/security/advisories/GHSA-wjx8-cgrm-hh8p
fixed_packages
0
url pkg:composer/contao/core-bundle@4.4.46
purl pkg:composer/contao/core-bundle@4.4.46
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2w7m-mb7e-tqe6
1
vulnerability VCID-82d1-8yn8-sydv
2
vulnerability VCID-f8ny-db5g-pkhw
3
vulnerability VCID-h8k9-qw2h-zyd2
4
vulnerability VCID-jbcs-b2p9-myhz
5
vulnerability VCID-jzx2-et8q-7qhm
6
vulnerability VCID-mt93-hcnp-13ah
7
vulnerability VCID-n4wc-kknf-hffb
8
vulnerability VCID-nepv-9985-37g4
9
vulnerability VCID-qvqr-t2ka-zybq
10
vulnerability VCID-r1h5-ag74-dbaw
11
vulnerability VCID-rj3d-jeyz-vye5
12
vulnerability VCID-t2u3-tgg3-cbb9
13
vulnerability VCID-u6sk-25yd-e7b2
14
vulnerability VCID-wyd5-t8at-8bba
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/contao/core-bundle@4.4.46
1
url pkg:composer/contao/core-bundle@4.5.0-RC1
purl pkg:composer/contao/core-bundle@4.5.0-RC1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2w7m-mb7e-tqe6
1
vulnerability VCID-f8ny-db5g-pkhw
2
vulnerability VCID-h8k9-qw2h-zyd2
3
vulnerability VCID-jbcs-b2p9-myhz
4
vulnerability VCID-jzx2-et8q-7qhm
5
vulnerability VCID-mt93-hcnp-13ah
6
vulnerability VCID-n4wc-kknf-hffb
7
vulnerability VCID-nepv-9985-37g4
8
vulnerability VCID-qvqr-t2ka-zybq
9
vulnerability VCID-r1h5-ag74-dbaw
10
vulnerability VCID-wyd5-t8at-8bba
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/contao/core-bundle@4.5.0-RC1
2
url pkg:composer/contao/core-bundle@4.8.6
purl pkg:composer/contao/core-bundle@4.8.6
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2w7m-mb7e-tqe6
1
vulnerability VCID-82d1-8yn8-sydv
2
vulnerability VCID-azpb-eq6c-e7bw
3
vulnerability VCID-f8ny-db5g-pkhw
4
vulnerability VCID-h8k9-qw2h-zyd2
5
vulnerability VCID-jbcs-b2p9-myhz
6
vulnerability VCID-jzx2-et8q-7qhm
7
vulnerability VCID-mt93-hcnp-13ah
8
vulnerability VCID-n4wc-kknf-hffb
9
vulnerability VCID-nepv-9985-37g4
10
vulnerability VCID-qvqr-t2ka-zybq
11
vulnerability VCID-r1h5-ag74-dbaw
12
vulnerability VCID-rj3d-jeyz-vye5
13
vulnerability VCID-t2u3-tgg3-cbb9
14
vulnerability VCID-wyd5-t8at-8bba
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/contao/core-bundle@4.8.6
3
url pkg:composer/contao/core-bundle@5.5.4
purl pkg:composer/contao/core-bundle@5.5.4
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2w7m-mb7e-tqe6
1
vulnerability VCID-afma-748j-uqae
2
vulnerability VCID-f1az-1ejn-53f7
3
vulnerability VCID-p4tq-y4en-57ag
4
vulnerability VCID-r1h5-ag74-dbaw
5
vulnerability VCID-wyd5-t8at-8bba
6
vulnerability VCID-ycnh-mnst-duap
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/contao/core-bundle@5.5.4
aliases CVE-2019-19745, GHSA-wjx8-cgrm-hh8p
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-98fv-kpqs-mybc
6
url VCID-ah8s-8q49-8qbw
vulnerability_id VCID-ah8s-8q49-8qbw
summary 
Incorrect Default Permissions
Contao 4.0 through 4.8.5 has Insecure Permissions. Back end users can manipulate the details view URL to show pages and articles that have not been enabled for them.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2019-19712
reference_id
reference_type
scores
0
value 0.00133
scoring_system epss
scoring_elements 0.32448
published_at 2026-06-04T12:55:00Z
1
value 0.00133
scoring_system epss
scoring_elements 0.32418
published_at 2026-06-08T12:55:00Z
2
value 0.00133
scoring_system epss
scoring_elements 0.32449
published_at 2026-06-07T12:55:00Z
3
value 0.00133
scoring_system epss
scoring_elements 0.32488
published_at 2026-06-06T12:55:00Z
4
value 0.00133
scoring_system epss
scoring_elements 0.3252
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2019-19712
1
reference_url https://contao.org/en/news.html
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://contao.org/en/news.html
2
reference_url https://contao.org/en/security-advisories/information-disclosure-in-the-back-end.html
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://contao.org/en/security-advisories/information-disclosure-in-the-back-end.html
3
reference_url https://github.com/contao/contao
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/contao/contao
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2019-19712
reference_id CVE-2019-19712
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2019-19712
5
reference_url https://github.com/FriendsOfPHP/security-advisories/blob/master/contao/contao/CVE-2019-19712.yaml
reference_id CVE-2019-19712.YAML
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/FriendsOfPHP/security-advisories/blob/master/contao/contao/CVE-2019-19712.yaml
6
reference_url https://github.com/FriendsOfPHP/security-advisories/blob/master/contao/core-bundle/CVE-2019-19712.yaml
reference_id CVE-2019-19712.YAML
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/FriendsOfPHP/security-advisories/blob/master/contao/core-bundle/CVE-2019-19712.yaml
7
reference_url https://github.com/advisories/GHSA-4mvc-qc5w-v5qr
reference_id GHSA-4mvc-qc5w-v5qr
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-4mvc-qc5w-v5qr
8
reference_url https://github.com/contao/contao/security/advisories/GHSA-4mvc-qc5w-v5qr
reference_id GHSA-4mvc-qc5w-v5qr
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/contao/contao/security/advisories/GHSA-4mvc-qc5w-v5qr
fixed_packages
0
url pkg:composer/contao/core-bundle@4.4.46
purl pkg:composer/contao/core-bundle@4.4.46
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2w7m-mb7e-tqe6
1
vulnerability VCID-82d1-8yn8-sydv
2
vulnerability VCID-f8ny-db5g-pkhw
3
vulnerability VCID-h8k9-qw2h-zyd2
4
vulnerability VCID-jbcs-b2p9-myhz
5
vulnerability VCID-jzx2-et8q-7qhm
6
vulnerability VCID-mt93-hcnp-13ah
7
vulnerability VCID-n4wc-kknf-hffb
8
vulnerability VCID-nepv-9985-37g4
9
vulnerability VCID-qvqr-t2ka-zybq
10
vulnerability VCID-r1h5-ag74-dbaw
11
vulnerability VCID-rj3d-jeyz-vye5
12
vulnerability VCID-t2u3-tgg3-cbb9
13
vulnerability VCID-u6sk-25yd-e7b2
14
vulnerability VCID-wyd5-t8at-8bba
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/contao/core-bundle@4.4.46
1
url pkg:composer/contao/core-bundle@4.5.0-RC1
purl pkg:composer/contao/core-bundle@4.5.0-RC1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2w7m-mb7e-tqe6
1
vulnerability VCID-f8ny-db5g-pkhw
2
vulnerability VCID-h8k9-qw2h-zyd2
3
vulnerability VCID-jbcs-b2p9-myhz
4
vulnerability VCID-jzx2-et8q-7qhm
5
vulnerability VCID-mt93-hcnp-13ah
6
vulnerability VCID-n4wc-kknf-hffb
7
vulnerability VCID-nepv-9985-37g4
8
vulnerability VCID-qvqr-t2ka-zybq
9
vulnerability VCID-r1h5-ag74-dbaw
10
vulnerability VCID-wyd5-t8at-8bba
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/contao/core-bundle@4.5.0-RC1
2
url pkg:composer/contao/core-bundle@4.8.6
purl pkg:composer/contao/core-bundle@4.8.6
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2w7m-mb7e-tqe6
1
vulnerability VCID-82d1-8yn8-sydv
2
vulnerability VCID-azpb-eq6c-e7bw
3
vulnerability VCID-f8ny-db5g-pkhw
4
vulnerability VCID-h8k9-qw2h-zyd2
5
vulnerability VCID-jbcs-b2p9-myhz
6
vulnerability VCID-jzx2-et8q-7qhm
7
vulnerability VCID-mt93-hcnp-13ah
8
vulnerability VCID-n4wc-kknf-hffb
9
vulnerability VCID-nepv-9985-37g4
10
vulnerability VCID-qvqr-t2ka-zybq
11
vulnerability VCID-r1h5-ag74-dbaw
12
vulnerability VCID-rj3d-jeyz-vye5
13
vulnerability VCID-t2u3-tgg3-cbb9
14
vulnerability VCID-wyd5-t8at-8bba
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/contao/core-bundle@4.8.6
3
url pkg:composer/contao/core-bundle@5.5.4
purl pkg:composer/contao/core-bundle@5.5.4
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2w7m-mb7e-tqe6
1
vulnerability VCID-afma-748j-uqae
2
vulnerability VCID-f1az-1ejn-53f7
3
vulnerability VCID-p4tq-y4en-57ag
4
vulnerability VCID-r1h5-ag74-dbaw
5
vulnerability VCID-wyd5-t8at-8bba
6
vulnerability VCID-ycnh-mnst-duap
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/contao/core-bundle@5.5.4
aliases CVE-2019-19712, GHSA-4mvc-qc5w-v5qr
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-ah8s-8q49-8qbw
7
url VCID-crsc-bhc9-y3f9
vulnerability_id VCID-crsc-bhc9-y3f9
summary 
PHP file inclusion vulnerability in the back end
A logged in back end user can include arbitrary PHP files by manipulating an URL parameter. Since Contao does not allow to upload PHP files in the file manager, the attack is limited to the existing PHP files on the server.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2017-10993
reference_id
reference_type
scores
0
value 0.00825
scoring_system epss
scoring_elements 0.74852
published_at 2026-06-07T12:55:00Z
1
value 0.00825
scoring_system epss
scoring_elements 0.74837
published_at 2026-06-08T12:55:00Z
2
value 0.00825
scoring_system epss
scoring_elements 0.74825
published_at 2026-06-04T12:55:00Z
3
value 0.00825
scoring_system epss
scoring_elements 0.74855
published_at 2026-06-05T12:55:00Z
4
value 0.00825
scoring_system epss
scoring_elements 0.74861
published_at 2026-06-06T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2017-10993
1
reference_url https://contao.org/en/news/contao-3_5_28.html
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://contao.org/en/news/contao-3_5_28.html
2
reference_url https://contao.org/en/news/contao-4_4_1.html
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://contao.org/en/news/contao-4_4_1.html
3
reference_url https://github.com/contao/core-bundle/commit/2a85914f4ba858780ffbac38a468acb7028772c7
reference_id
reference_type
scores
url https://github.com/contao/core-bundle/commit/2a85914f4ba858780ffbac38a468acb7028772c7
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2017-10993
reference_id CVE-2017-10993
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2017-10993
5
reference_url https://github.com/FriendsOfPHP/security-advisories/blob/master/contao/contao/CVE-2017-10993.yaml
reference_id CVE-2017-10993.YAML
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/FriendsOfPHP/security-advisories/blob/master/contao/contao/CVE-2017-10993.yaml
6
reference_url https://github.com/FriendsOfPHP/security-advisories/blob/master/contao/core-bundle/CVE-2017-10993.yaml
reference_id CVE-2017-10993.YAML
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/FriendsOfPHP/security-advisories/blob/master/contao/core-bundle/CVE-2017-10993.yaml
7
reference_url https://github.com/FriendsOfPHP/security-advisories/blob/master/contao/core/CVE-2017-10993.yaml
reference_id CVE-2017-10993.YAML
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/FriendsOfPHP/security-advisories/blob/master/contao/core/CVE-2017-10993.yaml
8
reference_url https://github.com/advisories/GHSA-x5g4-crxq-qxjx
reference_id GHSA-x5g4-crxq-qxjx
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-x5g4-crxq-qxjx
fixed_packages
0
url pkg:composer/contao/core-bundle@4.4.1
purl pkg:composer/contao/core-bundle@4.4.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2w7m-mb7e-tqe6
1
vulnerability VCID-3fux-z15d-13g1
2
vulnerability VCID-4rrm-u81m-7kdt
3
vulnerability VCID-5kwa-7kx3-kfga
4
vulnerability VCID-6um8-6hqz-uybm
5
vulnerability VCID-82d1-8yn8-sydv
6
vulnerability VCID-98fv-kpqs-mybc
7
vulnerability VCID-ah8s-8q49-8qbw
8
vulnerability VCID-epmj-qf23-xffd
9
vulnerability VCID-f8ny-db5g-pkhw
10
vulnerability VCID-h8k9-qw2h-zyd2
11
vulnerability VCID-jbcs-b2p9-myhz
12
vulnerability VCID-jzx2-et8q-7qhm
13
vulnerability VCID-mt93-hcnp-13ah
14
vulnerability VCID-n4wc-kknf-hffb
15
vulnerability VCID-nepv-9985-37g4
16
vulnerability VCID-qvqr-t2ka-zybq
17
vulnerability VCID-r1h5-ag74-dbaw
18
vulnerability VCID-rj3d-jeyz-vye5
19
vulnerability VCID-t2u3-tgg3-cbb9
20
vulnerability VCID-u6sk-25yd-e7b2
21
vulnerability VCID-wyd5-t8at-8bba
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/contao/core-bundle@4.4.1
aliases CVE-2017-10993, GHSA-x5g4-crxq-qxjx
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-crsc-bhc9-y3f9
8
url VCID-epmj-qf23-xffd
vulnerability_id VCID-epmj-qf23-xffd
summary 
XSS in system log of back end
There's a Cross-Site Scripting (XSS) vulnerability in system log of back end. With a manipulated request, an attacker can implant a script which is executed when a logged in back end user opens the system log. The attacker themselves does not have to be logged in.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2018-10125
reference_id
reference_type
scores
0
value 0.00328
scoring_system epss
scoring_elements 0.56093
published_at 2026-06-07T12:55:00Z
1
value 0.00328
scoring_system epss
scoring_elements 0.56076
published_at 2026-06-08T12:55:00Z
2
value 0.00328
scoring_system epss
scoring_elements 0.56045
published_at 2026-06-04T12:55:00Z
3
value 0.00328
scoring_system epss
scoring_elements 0.561
published_at 2026-06-05T12:55:00Z
4
value 0.00328
scoring_system epss
scoring_elements 0.56106
published_at 2026-06-06T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2018-10125
1
reference_url https://contao.org/en/news/contao-3_5_35.html
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://contao.org/en/news/contao-3_5_35.html
2
reference_url https://contao.org/en/news/contao-4_4_18.html
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://contao.org/en/news/contao-4_4_18.html
3
reference_url https://contao.org/en/security-advisories/cross-site-scripting-in-the-system-log.html
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://contao.org/en/security-advisories/cross-site-scripting-in-the-system-log.html
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2018-10125
reference_id CVE-2018-10125
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2018-10125
5
reference_url https://github.com/FriendsOfPHP/security-advisories/blob/master/contao/contao/CVE-2018-10125.yaml
reference_id CVE-2018-10125.YAML
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/FriendsOfPHP/security-advisories/blob/master/contao/contao/CVE-2018-10125.yaml
6
reference_url https://github.com/FriendsOfPHP/security-advisories/blob/master/contao/core-bundle/CVE-2018-10125.yaml
reference_id CVE-2018-10125.YAML
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/FriendsOfPHP/security-advisories/blob/master/contao/core-bundle/CVE-2018-10125.yaml
7
reference_url https://github.com/FriendsOfPHP/security-advisories/blob/master/contao/core/CVE-2018-10125.yaml
reference_id CVE-2018-10125.YAML
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/FriendsOfPHP/security-advisories/blob/master/contao/core/CVE-2018-10125.yaml
8
reference_url https://github.com/advisories/GHSA-pj4j-287j-f742
reference_id GHSA-pj4j-287j-f742
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-pj4j-287j-f742
fixed_packages
0
url pkg:composer/contao/core-bundle@4.4.17
purl pkg:composer/contao/core-bundle@4.4.17
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2w7m-mb7e-tqe6
1
vulnerability VCID-3fux-z15d-13g1
2
vulnerability VCID-4rrm-u81m-7kdt
3
vulnerability VCID-5kwa-7kx3-kfga
4
vulnerability VCID-82d1-8yn8-sydv
5
vulnerability VCID-98fv-kpqs-mybc
6
vulnerability VCID-ah8s-8q49-8qbw
7
vulnerability VCID-f8ny-db5g-pkhw
8
vulnerability VCID-h8k9-qw2h-zyd2
9
vulnerability VCID-jbcs-b2p9-myhz
10
vulnerability VCID-jzx2-et8q-7qhm
11
vulnerability VCID-mt93-hcnp-13ah
12
vulnerability VCID-n4wc-kknf-hffb
13
vulnerability VCID-nepv-9985-37g4
14
vulnerability VCID-qvqr-t2ka-zybq
15
vulnerability VCID-r1h5-ag74-dbaw
16
vulnerability VCID-rj3d-jeyz-vye5
17
vulnerability VCID-t2u3-tgg3-cbb9
18
vulnerability VCID-u6sk-25yd-e7b2
19
vulnerability VCID-wyd5-t8at-8bba
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/contao/core-bundle@4.4.17
1
url pkg:composer/contao/core-bundle@4.4.18
purl pkg:composer/contao/core-bundle@4.4.18
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2w7m-mb7e-tqe6
1
vulnerability VCID-3fux-z15d-13g1
2
vulnerability VCID-4rrm-u81m-7kdt
3
vulnerability VCID-5kwa-7kx3-kfga
4
vulnerability VCID-82d1-8yn8-sydv
5
vulnerability VCID-98fv-kpqs-mybc
6
vulnerability VCID-ah8s-8q49-8qbw
7
vulnerability VCID-f8ny-db5g-pkhw
8
vulnerability VCID-h8k9-qw2h-zyd2
9
vulnerability VCID-jbcs-b2p9-myhz
10
vulnerability VCID-jzx2-et8q-7qhm
11
vulnerability VCID-mt93-hcnp-13ah
12
vulnerability VCID-n4wc-kknf-hffb
13
vulnerability VCID-nepv-9985-37g4
14
vulnerability VCID-qvqr-t2ka-zybq
15
vulnerability VCID-r1h5-ag74-dbaw
16
vulnerability VCID-rj3d-jeyz-vye5
17
vulnerability VCID-t2u3-tgg3-cbb9
18
vulnerability VCID-u6sk-25yd-e7b2
19
vulnerability VCID-wyd5-t8at-8bba
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/contao/core-bundle@4.4.18
2
url pkg:composer/contao/core-bundle@4.5.7
purl pkg:composer/contao/core-bundle@4.5.7
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2w7m-mb7e-tqe6
1
vulnerability VCID-3fux-z15d-13g1
2
vulnerability VCID-5kwa-7kx3-kfga
3
vulnerability VCID-82d1-8yn8-sydv
4
vulnerability VCID-98fv-kpqs-mybc
5
vulnerability VCID-ah8s-8q49-8qbw
6
vulnerability VCID-azpb-eq6c-e7bw
7
vulnerability VCID-f8ny-db5g-pkhw
8
vulnerability VCID-h8k9-qw2h-zyd2
9
vulnerability VCID-jbcs-b2p9-myhz
10
vulnerability VCID-jzx2-et8q-7qhm
11
vulnerability VCID-mt93-hcnp-13ah
12
vulnerability VCID-n4wc-kknf-hffb
13
vulnerability VCID-nepv-9985-37g4
14
vulnerability VCID-qvqr-t2ka-zybq
15
vulnerability VCID-r1h5-ag74-dbaw
16
vulnerability VCID-rj3d-jeyz-vye5
17
vulnerability VCID-t2u3-tgg3-cbb9
18
vulnerability VCID-wyd5-t8at-8bba
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/contao/core-bundle@4.5.7
3
url pkg:composer/contao/core-bundle@4.5.8
purl pkg:composer/contao/core-bundle@4.5.8
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2w7m-mb7e-tqe6
1
vulnerability VCID-3fux-z15d-13g1
2
vulnerability VCID-5kwa-7kx3-kfga
3
vulnerability VCID-82d1-8yn8-sydv
4
vulnerability VCID-98fv-kpqs-mybc
5
vulnerability VCID-ah8s-8q49-8qbw
6
vulnerability VCID-azpb-eq6c-e7bw
7
vulnerability VCID-f8ny-db5g-pkhw
8
vulnerability VCID-h8k9-qw2h-zyd2
9
vulnerability VCID-jbcs-b2p9-myhz
10
vulnerability VCID-jzx2-et8q-7qhm
11
vulnerability VCID-mt93-hcnp-13ah
12
vulnerability VCID-n4wc-kknf-hffb
13
vulnerability VCID-nepv-9985-37g4
14
vulnerability VCID-qvqr-t2ka-zybq
15
vulnerability VCID-r1h5-ag74-dbaw
16
vulnerability VCID-rj3d-jeyz-vye5
17
vulnerability VCID-t2u3-tgg3-cbb9
18
vulnerability VCID-wyd5-t8at-8bba
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/contao/core-bundle@4.5.8
aliases CVE-2018-10125, GHSA-pj4j-287j-f742
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-epmj-qf23-xffd
9
url VCID-f8ny-db5g-pkhw
vulnerability_id VCID-f8ny-db5g-pkhw
summary 
Contao affected by remote command execution through file upload
Back end users with access to the file manager can upload malicious files and execute them on the server.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-45398
reference_id
reference_type
scores
0
value 0.00211
scoring_system epss
scoring_elements 0.43715
published_at 2026-06-07T12:55:00Z
1
value 0.00211
scoring_system epss
scoring_elements 0.43738
published_at 2026-06-06T12:55:00Z
2
value 0.00211
scoring_system epss
scoring_elements 0.4373
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-45398
1
reference_url https://contao.org/en/security-advisories/remote-command-execution-through-file-uploads
reference_id
reference_type
scores
0
value 8.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-09-18T13:14:03Z/
url https://contao.org/en/security-advisories/remote-command-execution-through-file-uploads
2
reference_url https://github.com/contao/contao
reference_id
reference_type
scores
0
value 8.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/contao/contao
3
reference_url https://github.com/contao/contao/commit/9445d509f12a7f1b68a4794dcc5e3e459b363ebb
reference_id
reference_type
scores
0
value 8.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/contao/contao/commit/9445d509f12a7f1b68a4794dcc5e3e459b363ebb
4
reference_url https://github.com/contao/contao/commit/a7e39f96ac8fdc281f7caaa96e01deb0e24ac7d3
reference_id
reference_type
scores
0
value 8.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/contao/contao/commit/a7e39f96ac8fdc281f7caaa96e01deb0e24ac7d3
5
reference_url https://github.com/contao/contao/commit/f3db59ffe5a6c0e1f705b3230ebd5ff16865280e
reference_id
reference_type
scores
0
value 8.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/contao/contao/commit/f3db59ffe5a6c0e1f705b3230ebd5ff16865280e
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-45398
reference_id CVE-2024-45398
reference_type
scores
0
value 8.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-45398
7
reference_url https://github.com/advisories/GHSA-vm6r-j788-hjh5
reference_id GHSA-vm6r-j788-hjh5
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-vm6r-j788-hjh5
8
reference_url https://github.com/contao/contao/security/advisories/GHSA-vm6r-j788-hjh5
reference_id GHSA-vm6r-j788-hjh5
reference_type
scores
0
value 8.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N
3
value HIGH
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-09-18T13:14:03Z/
url https://github.com/contao/contao/security/advisories/GHSA-vm6r-j788-hjh5
fixed_packages
0
url pkg:composer/contao/core-bundle@4.13.49
purl pkg:composer/contao/core-bundle@4.13.49
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2w7m-mb7e-tqe6
1
vulnerability VCID-f1az-1ejn-53f7
2
vulnerability VCID-r1h5-ag74-dbaw
3
vulnerability VCID-wyd5-t8at-8bba
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/contao/core-bundle@4.13.49
1
url pkg:composer/contao/core-bundle@5.0.0-RC1
purl pkg:composer/contao/core-bundle@5.0.0-RC1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-afma-748j-uqae
1
vulnerability VCID-f1az-1ejn-53f7
2
vulnerability VCID-gzzh-6ysu-9yey
3
vulnerability VCID-jbcs-b2p9-myhz
4
vulnerability VCID-jzx2-et8q-7qhm
5
vulnerability VCID-r1h5-ag74-dbaw
6
vulnerability VCID-wyd5-t8at-8bba
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/contao/core-bundle@5.0.0-RC1
2
url pkg:composer/contao/core-bundle@5.3.15
purl pkg:composer/contao/core-bundle@5.3.15
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2w7m-mb7e-tqe6
1
vulnerability VCID-afma-748j-uqae
2
vulnerability VCID-f1az-1ejn-53f7
3
vulnerability VCID-p4tq-y4en-57ag
4
vulnerability VCID-r1h5-ag74-dbaw
5
vulnerability VCID-wyd5-t8at-8bba
6
vulnerability VCID-ycnh-mnst-duap
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/contao/core-bundle@5.3.15
3
url pkg:composer/contao/core-bundle@5.4.0-RC1
purl pkg:composer/contao/core-bundle@5.4.0-RC1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-afma-748j-uqae
1
vulnerability VCID-f1az-1ejn-53f7
2
vulnerability VCID-p4tq-y4en-57ag
3
vulnerability VCID-r1h5-ag74-dbaw
4
vulnerability VCID-wyd5-t8at-8bba
5
vulnerability VCID-ycnh-mnst-duap
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/contao/core-bundle@5.4.0-RC1
4
url pkg:composer/contao/core-bundle@5.4.3
purl pkg:composer/contao/core-bundle@5.4.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2w7m-mb7e-tqe6
1
vulnerability VCID-afma-748j-uqae
2
vulnerability VCID-f1az-1ejn-53f7
3
vulnerability VCID-p4tq-y4en-57ag
4
vulnerability VCID-r1h5-ag74-dbaw
5
vulnerability VCID-wyd5-t8at-8bba
6
vulnerability VCID-ycnh-mnst-duap
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/contao/core-bundle@5.4.3
5
url pkg:composer/contao/core-bundle@5.5.4
purl pkg:composer/contao/core-bundle@5.5.4
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2w7m-mb7e-tqe6
1
vulnerability VCID-afma-748j-uqae
2
vulnerability VCID-f1az-1ejn-53f7
3
vulnerability VCID-p4tq-y4en-57ag
4
vulnerability VCID-r1h5-ag74-dbaw
5
vulnerability VCID-wyd5-t8at-8bba
6
vulnerability VCID-ycnh-mnst-duap
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/contao/core-bundle@5.5.4
aliases CVE-2024-45398, GHSA-vm6r-j788-hjh5
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-f8ny-db5g-pkhw
10
url VCID-h8k9-qw2h-zyd2
vulnerability_id VCID-h8k9-qw2h-zyd2
summary 
Contao: Remember-me tokens will not be cleared after a password change
When a front end member changes their password, the corresponding remember-me tokens are not removed.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-30262
reference_id
reference_type
scores
0
value 0.00364
scoring_system epss
scoring_elements 0.58779
published_at 2026-06-07T12:55:00Z
1
value 0.00364
scoring_system epss
scoring_elements 0.58787
published_at 2026-06-06T12:55:00Z
2
value 0.00364
scoring_system epss
scoring_elements 0.58782
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-30262
1
reference_url https://contao.org/en/security-advisories/remember-me-tokens-are-not-cleared-after-a-password-change
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://contao.org/en/security-advisories/remember-me-tokens-are-not-cleared-after-a-password-change
2
reference_url https://github.com/contao/contao
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/contao/contao
3
reference_url https://github.com/contao/contao/commit/3032baa456f607169ffae82a8920354adb338fe9
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-04-10T19:19:06Z/
url https://github.com/contao/contao/commit/3032baa456f607169ffae82a8920354adb338fe9
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-30262
reference_id CVE-2024-30262
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-30262
5
reference_url https://github.com/advisories/GHSA-r4r6-j2j3-7pp5
reference_id GHSA-r4r6-j2j3-7pp5
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-r4r6-j2j3-7pp5
6
reference_url https://github.com/contao/contao/security/advisories/GHSA-r4r6-j2j3-7pp5
reference_id GHSA-r4r6-j2j3-7pp5
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-04-10T19:19:06Z/
url https://github.com/contao/contao/security/advisories/GHSA-r4r6-j2j3-7pp5
fixed_packages
0
url pkg:composer/contao/core-bundle@4.13.40
purl pkg:composer/contao/core-bundle@4.13.40
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2w7m-mb7e-tqe6
1
vulnerability VCID-f1az-1ejn-53f7
2
vulnerability VCID-f8ny-db5g-pkhw
3
vulnerability VCID-gwea-1srz-9uca
4
vulnerability VCID-n4wc-kknf-hffb
5
vulnerability VCID-r1h5-ag74-dbaw
6
vulnerability VCID-wyd5-t8at-8bba
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/contao/core-bundle@4.13.40
1
url pkg:composer/contao/core-bundle@5.0.0-RC1
purl pkg:composer/contao/core-bundle@5.0.0-RC1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-afma-748j-uqae
1
vulnerability VCID-f1az-1ejn-53f7
2
vulnerability VCID-gzzh-6ysu-9yey
3
vulnerability VCID-jbcs-b2p9-myhz
4
vulnerability VCID-jzx2-et8q-7qhm
5
vulnerability VCID-r1h5-ag74-dbaw
6
vulnerability VCID-wyd5-t8at-8bba
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/contao/core-bundle@5.0.0-RC1
aliases CVE-2024-30262, GHSA-r4r6-j2j3-7pp5
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-h8k9-qw2h-zyd2
11
url VCID-jbcs-b2p9-myhz
vulnerability_id VCID-jbcs-b2p9-myhz
summary 
Contao: Cross site scripting in the file manager
Users can insert malicious code into file names when uploading files, which is then executed in tooltips and popups in the backend.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-28190
reference_id
reference_type
scores
0
value 0.00987
scoring_system epss
scoring_elements 0.77221
published_at 2026-06-07T12:55:00Z
1
value 0.00987
scoring_system epss
scoring_elements 0.77233
published_at 2026-06-06T12:55:00Z
2
value 0.00987
scoring_system epss
scoring_elements 0.77223
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-28190
1
reference_url https://contao.org/en/security-advisories/cross-site-scripting-in-the-file-manager
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-04-09T17:12:31Z/
url https://contao.org/en/security-advisories/cross-site-scripting-in-the-file-manager
2
reference_url https://github.com/contao/contao
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/contao/contao
3
reference_url https://github.com/contao/contao/commit/878d28dbe0f408740555d6fc8b634bd3f8febfce
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-04-09T17:12:31Z/
url https://github.com/contao/contao/commit/878d28dbe0f408740555d6fc8b634bd3f8febfce
4
reference_url https://github.com/contao/contao/commit/b794e14fff070101bf6a885da9b1a83395093b4d
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-04-09T17:12:31Z/
url https://github.com/contao/contao/commit/b794e14fff070101bf6a885da9b1a83395093b4d
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-28190
reference_id CVE-2024-28190
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-28190
6
reference_url https://github.com/advisories/GHSA-v24p-7p4j-qvvf
reference_id GHSA-v24p-7p4j-qvvf
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-v24p-7p4j-qvvf
7
reference_url https://github.com/contao/contao/security/advisories/GHSA-v24p-7p4j-qvvf
reference_id GHSA-v24p-7p4j-qvvf
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-04-09T17:12:31Z/
url https://github.com/contao/contao/security/advisories/GHSA-v24p-7p4j-qvvf
fixed_packages
0
url pkg:composer/contao/core-bundle@4.13.40
purl pkg:composer/contao/core-bundle@4.13.40
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2w7m-mb7e-tqe6
1
vulnerability VCID-f1az-1ejn-53f7
2
vulnerability VCID-f8ny-db5g-pkhw
3
vulnerability VCID-gwea-1srz-9uca
4
vulnerability VCID-n4wc-kknf-hffb
5
vulnerability VCID-r1h5-ag74-dbaw
6
vulnerability VCID-wyd5-t8at-8bba
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/contao/core-bundle@4.13.40
1
url pkg:composer/contao/core-bundle@5.3.4
purl pkg:composer/contao/core-bundle@5.3.4
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2w7m-mb7e-tqe6
1
vulnerability VCID-afma-748j-uqae
2
vulnerability VCID-f1az-1ejn-53f7
3
vulnerability VCID-f8ny-db5g-pkhw
4
vulnerability VCID-gwea-1srz-9uca
5
vulnerability VCID-p4tq-y4en-57ag
6
vulnerability VCID-r1h5-ag74-dbaw
7
vulnerability VCID-wyd5-t8at-8bba
8
vulnerability VCID-ycnh-mnst-duap
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/contao/core-bundle@5.3.4
2
url pkg:composer/contao/core-bundle@5.5.4
purl pkg:composer/contao/core-bundle@5.5.4
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2w7m-mb7e-tqe6
1
vulnerability VCID-afma-748j-uqae
2
vulnerability VCID-f1az-1ejn-53f7
3
vulnerability VCID-p4tq-y4en-57ag
4
vulnerability VCID-r1h5-ag74-dbaw
5
vulnerability VCID-wyd5-t8at-8bba
6
vulnerability VCID-ycnh-mnst-duap
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/contao/core-bundle@5.5.4
aliases CVE-2024-28190, GHSA-v24p-7p4j-qvvf
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-jbcs-b2p9-myhz
12
url VCID-jzx2-et8q-7qhm
vulnerability_id VCID-jzx2-et8q-7qhm
summary 
Contao: Unencoded insert tags in the frontend
It is possible to inject insert tags via the form generator if the submitted form data is output on the page in a specific way.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-28191
reference_id
reference_type
scores
0
value 0.00988
scoring_system epss
scoring_elements 0.77228
published_at 2026-06-07T12:55:00Z
1
value 0.00988
scoring_system epss
scoring_elements 0.7724
published_at 2026-06-06T12:55:00Z
2
value 0.00988
scoring_system epss
scoring_elements 0.7723
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-28191
1
reference_url https://contao.org/en/security-advisories/insert-tag-injection-via-the-form-generator
reference_id
reference_type
scores
0
value 3.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-29T16:07:38Z/
url https://contao.org/en/security-advisories/insert-tag-injection-via-the-form-generator
2
reference_url https://github.com/contao/contao
reference_id
reference_type
scores
0
value 3.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/contao/contao
3
reference_url https://github.com/contao/contao/commit/388859dcf110ca70e0fae68a2a5579ab6a702919
reference_id
reference_type
scores
0
value 3.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-29T16:07:38Z/
url https://github.com/contao/contao/commit/388859dcf110ca70e0fae68a2a5579ab6a702919
4
reference_url https://github.com/contao/contao/commit/474a2fc25f1d84d786aba8c6d234af99e64d016b
reference_id
reference_type
scores
0
value 3.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-29T16:07:38Z/
url https://github.com/contao/contao/commit/474a2fc25f1d84d786aba8c6d234af99e64d016b
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-28191
reference_id CVE-2024-28191
reference_type
scores
0
value 3.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-28191
6
reference_url https://github.com/advisories/GHSA-747v-52c4-8vj8
reference_id GHSA-747v-52c4-8vj8
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-747v-52c4-8vj8
7
reference_url https://github.com/contao/contao/security/advisories/GHSA-747v-52c4-8vj8
reference_id GHSA-747v-52c4-8vj8
reference_type
scores
0
value 3.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value LOW
scoring_system cvssv3.1_qr
scoring_elements
2
value LOW
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-29T16:07:38Z/
url https://github.com/contao/contao/security/advisories/GHSA-747v-52c4-8vj8
fixed_packages
0
url pkg:composer/contao/core-bundle@4.13.40
purl pkg:composer/contao/core-bundle@4.13.40
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2w7m-mb7e-tqe6
1
vulnerability VCID-f1az-1ejn-53f7
2
vulnerability VCID-f8ny-db5g-pkhw
3
vulnerability VCID-gwea-1srz-9uca
4
vulnerability VCID-n4wc-kknf-hffb
5
vulnerability VCID-r1h5-ag74-dbaw
6
vulnerability VCID-wyd5-t8at-8bba
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/contao/core-bundle@4.13.40
1
url pkg:composer/contao/core-bundle@5.3.4
purl pkg:composer/contao/core-bundle@5.3.4
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2w7m-mb7e-tqe6
1
vulnerability VCID-afma-748j-uqae
2
vulnerability VCID-f1az-1ejn-53f7
3
vulnerability VCID-f8ny-db5g-pkhw
4
vulnerability VCID-gwea-1srz-9uca
5
vulnerability VCID-p4tq-y4en-57ag
6
vulnerability VCID-r1h5-ag74-dbaw
7
vulnerability VCID-wyd5-t8at-8bba
8
vulnerability VCID-ycnh-mnst-duap
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/contao/core-bundle@5.3.4
2
url pkg:composer/contao/core-bundle@5.5.4
purl pkg:composer/contao/core-bundle@5.5.4
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2w7m-mb7e-tqe6
1
vulnerability VCID-afma-748j-uqae
2
vulnerability VCID-f1az-1ejn-53f7
3
vulnerability VCID-p4tq-y4en-57ag
4
vulnerability VCID-r1h5-ag74-dbaw
5
vulnerability VCID-wyd5-t8at-8bba
6
vulnerability VCID-ycnh-mnst-duap
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/contao/core-bundle@5.5.4
aliases CVE-2024-28191, GHSA-747v-52c4-8vj8
risk_score 1.4
exploitability 0.5
weighted_severity 2.8
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-jzx2-et8q-7qhm
13
url VCID-mt93-hcnp-13ah
vulnerability_id VCID-mt93-hcnp-13ah
summary 
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Contao is an open source content management system. Prior to versions 4.9.40, 4.13.21, and 5.1.4, logged in users can list arbitrary system files in the file manager by manipulating the Ajax request. However, it is not possible to read the contents of these files. Users should update to Contao 4.9.40, 4.13.21 or 5.1.4 to receive a patch. There are no known workarounds.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2023-29200
reference_id
reference_type
scores
0
value 0.00578
scoring_system epss
scoring_elements 0.69277
published_at 2026-06-06T12:55:00Z
1
value 0.00578
scoring_system epss
scoring_elements 0.69252
published_at 2026-06-08T12:55:00Z
2
value 0.00578
scoring_system epss
scoring_elements 0.69268
published_at 2026-06-07T12:55:00Z
3
value 0.00578
scoring_system epss
scoring_elements 0.69269
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2023-29200
1
reference_url https://contao.org/en/security-advisories/directory-traversal-in-the-file-manager
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-03T19:37:07Z/
url https://contao.org/en/security-advisories/directory-traversal-in-the-file-manager
2
reference_url https://contao.org/en/security-advisories/directory-traversal-in-the-file-manager.html
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://contao.org/en/security-advisories/directory-traversal-in-the-file-manager.html
3
reference_url https://github.com/contao/contao
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/contao/contao
4
reference_url https://github.com/contao/contao/commit/6f3e705f4ff23f4419563d09d8485793569f31df
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-03T19:37:07Z/
url https://github.com/contao/contao/commit/6f3e705f4ff23f4419563d09d8485793569f31df
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-29200
reference_id CVE-2023-29200
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-29200
6
reference_url https://github.com/FriendsOfPHP/security-advisories/blob/master/contao/contao/CVE-2023-29200.yaml
reference_id CVE-2023-29200.YAML
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/FriendsOfPHP/security-advisories/blob/master/contao/contao/CVE-2023-29200.yaml
7
reference_url https://github.com/advisories/GHSA-fp7q-xhhw-6rj3
reference_id GHSA-fp7q-xhhw-6rj3
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-fp7q-xhhw-6rj3
8
reference_url https://github.com/contao/contao/security/advisories/GHSA-fp7q-xhhw-6rj3
reference_id GHSA-fp7q-xhhw-6rj3
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
2
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
3
value HIGH
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-03T19:37:07Z/
url https://github.com/contao/contao/security/advisories/GHSA-fp7q-xhhw-6rj3
fixed_packages
0
url pkg:composer/contao/core-bundle@4.9.40
purl pkg:composer/contao/core-bundle@4.9.40
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2w7m-mb7e-tqe6
1
vulnerability VCID-f1az-1ejn-53f7
2
vulnerability VCID-f8ny-db5g-pkhw
3
vulnerability VCID-gzzh-6ysu-9yey
4
vulnerability VCID-h8k9-qw2h-zyd2
5
vulnerability VCID-jbcs-b2p9-myhz
6
vulnerability VCID-jzx2-et8q-7qhm
7
vulnerability VCID-n4wc-kknf-hffb
8
vulnerability VCID-nepv-9985-37g4
9
vulnerability VCID-r1h5-ag74-dbaw
10
vulnerability VCID-wyd5-t8at-8bba
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/contao/core-bundle@4.9.40
1
url pkg:composer/contao/core-bundle@4.10.0-RC1
purl pkg:composer/contao/core-bundle@4.10.0-RC1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2w7m-mb7e-tqe6
1
vulnerability VCID-f1az-1ejn-53f7
2
vulnerability VCID-f8ny-db5g-pkhw
3
vulnerability VCID-gzzh-6ysu-9yey
4
vulnerability VCID-h8k9-qw2h-zyd2
5
vulnerability VCID-jbcs-b2p9-myhz
6
vulnerability VCID-jzx2-et8q-7qhm
7
vulnerability VCID-n4wc-kknf-hffb
8
vulnerability VCID-qvqr-t2ka-zybq
9
vulnerability VCID-r1h5-ag74-dbaw
10
vulnerability VCID-wyd5-t8at-8bba
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/contao/core-bundle@4.10.0-RC1
2
url pkg:composer/contao/core-bundle@4.13.21
purl pkg:composer/contao/core-bundle@4.13.21
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2w7m-mb7e-tqe6
1
vulnerability VCID-f1az-1ejn-53f7
2
vulnerability VCID-f8ny-db5g-pkhw
3
vulnerability VCID-gwea-1srz-9uca
4
vulnerability VCID-gzzh-6ysu-9yey
5
vulnerability VCID-h8k9-qw2h-zyd2
6
vulnerability VCID-jbcs-b2p9-myhz
7
vulnerability VCID-jzx2-et8q-7qhm
8
vulnerability VCID-n4wc-kknf-hffb
9
vulnerability VCID-nepv-9985-37g4
10
vulnerability VCID-r1h5-ag74-dbaw
11
vulnerability VCID-wyd5-t8at-8bba
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/contao/core-bundle@4.13.21
3
url pkg:composer/contao/core-bundle@5.0.0-RC1
purl pkg:composer/contao/core-bundle@5.0.0-RC1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-afma-748j-uqae
1
vulnerability VCID-f1az-1ejn-53f7
2
vulnerability VCID-gzzh-6ysu-9yey
3
vulnerability VCID-jbcs-b2p9-myhz
4
vulnerability VCID-jzx2-et8q-7qhm
5
vulnerability VCID-r1h5-ag74-dbaw
6
vulnerability VCID-wyd5-t8at-8bba
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/contao/core-bundle@5.0.0-RC1
4
url pkg:composer/contao/core-bundle@5.1.4
purl pkg:composer/contao/core-bundle@5.1.4
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-afma-748j-uqae
1
vulnerability VCID-f1az-1ejn-53f7
2
vulnerability VCID-f8ny-db5g-pkhw
3
vulnerability VCID-gwea-1srz-9uca
4
vulnerability VCID-gzzh-6ysu-9yey
5
vulnerability VCID-jbcs-b2p9-myhz
6
vulnerability VCID-jzx2-et8q-7qhm
7
vulnerability VCID-nepv-9985-37g4
8
vulnerability VCID-r1h5-ag74-dbaw
9
vulnerability VCID-wyd5-t8at-8bba
10
vulnerability VCID-ycnh-mnst-duap
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/contao/core-bundle@5.1.4
5
url pkg:composer/contao/core-bundle@5.5.4
purl pkg:composer/contao/core-bundle@5.5.4
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2w7m-mb7e-tqe6
1
vulnerability VCID-afma-748j-uqae
2
vulnerability VCID-f1az-1ejn-53f7
3
vulnerability VCID-p4tq-y4en-57ag
4
vulnerability VCID-r1h5-ag74-dbaw
5
vulnerability VCID-wyd5-t8at-8bba
6
vulnerability VCID-ycnh-mnst-duap
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/contao/core-bundle@5.5.4
aliases CVE-2023-29200, GHSA-fp7q-xhhw-6rj3
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-mt93-hcnp-13ah
14
url VCID-n4wc-kknf-hffb
vulnerability_id VCID-n4wc-kknf-hffb
summary 
Contao affected by directory traversal in the file selector widget
Back end users can list files outside their file mounts or the document root in the FileSelector widget.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-45604
reference_id
reference_type
scores
0
value 0.00747
scoring_system epss
scoring_elements 0.7347
published_at 2026-06-07T12:55:00Z
1
value 0.00747
scoring_system epss
scoring_elements 0.73483
published_at 2026-06-06T12:55:00Z
2
value 0.00747
scoring_system epss
scoring_elements 0.73478
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-45604
1
reference_url https://contao.org/en/security-advisories/directory-traversal-in-the-fileselector-widget
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-18T13:09:34Z/
url https://contao.org/en/security-advisories/directory-traversal-in-the-fileselector-widget
2
reference_url https://github.com/contao/contao
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/contao/contao
3
reference_url https://github.com/contao/contao/commit/63409c6bdfd95197d9906e229d765b630d45742e
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/contao/contao/commit/63409c6bdfd95197d9906e229d765b630d45742e
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-45604
reference_id CVE-2024-45604
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-45604
5
reference_url https://github.com/advisories/GHSA-4p75-5p53-65m9
reference_id GHSA-4p75-5p53-65m9
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-4p75-5p53-65m9
6
reference_url https://github.com/contao/contao/security/advisories/GHSA-4p75-5p53-65m9
reference_id GHSA-4p75-5p53-65m9
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
3
value MODERATE
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-18T13:09:34Z/
url https://github.com/contao/contao/security/advisories/GHSA-4p75-5p53-65m9
fixed_packages
0
url pkg:composer/contao/core-bundle@4.13.49
purl pkg:composer/contao/core-bundle@4.13.49
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2w7m-mb7e-tqe6
1
vulnerability VCID-f1az-1ejn-53f7
2
vulnerability VCID-r1h5-ag74-dbaw
3
vulnerability VCID-wyd5-t8at-8bba
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/contao/core-bundle@4.13.49
1
url pkg:composer/contao/core-bundle@5.0.0-RC1
purl pkg:composer/contao/core-bundle@5.0.0-RC1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-afma-748j-uqae
1
vulnerability VCID-f1az-1ejn-53f7
2
vulnerability VCID-gzzh-6ysu-9yey
3
vulnerability VCID-jbcs-b2p9-myhz
4
vulnerability VCID-jzx2-et8q-7qhm
5
vulnerability VCID-r1h5-ag74-dbaw
6
vulnerability VCID-wyd5-t8at-8bba
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/contao/core-bundle@5.0.0-RC1
aliases CVE-2024-45604, GHSA-4p75-5p53-65m9
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-n4wc-kknf-hffb
15
url VCID-nepv-9985-37g4
vulnerability_id VCID-nepv-9985-37g4
summary 
Cross site scripting via input unit widget
Authenticated users can inject malicious code in widgets with units, which is then executed both in the element preview (back end) and on the website (front end).
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2023-36806
reference_id
reference_type
scores
0
value 0.00384
scoring_system epss
scoring_elements 0.59987
published_at 2026-06-08T12:55:00Z
1
value 0.00384
scoring_system epss
scoring_elements 0.60005
published_at 2026-06-07T12:55:00Z
2
value 0.00384
scoring_system epss
scoring_elements 0.60017
published_at 2026-06-06T12:55:00Z
3
value 0.00384
scoring_system epss
scoring_elements 0.60013
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2023-36806
1
reference_url https://github.com/contao/contao
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/contao/contao
2
reference_url https://github.com/contao/contao/commit/5c9aff32cfc1f7dc452a045862ac2f86a6b9b4b4
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
1
value 6.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-23T18:55:31Z/
url https://github.com/contao/contao/commit/5c9aff32cfc1f7dc452a045862ac2f86a6b9b4b4
3
reference_url https://github.com/contao/contao/commit/c98585d36baa25fda69c062421e7e7eadc53c82b
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
1
value 6.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-23T18:55:31Z/
url https://github.com/contao/contao/commit/c98585d36baa25fda69c062421e7e7eadc53c82b
4
reference_url https://github.com/contao/contao/commit/ccb64c777eb0f9c0e6490c9135d80e915d37cd32
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
1
value 6.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-23T18:55:31Z/
url https://github.com/contao/contao/commit/ccb64c777eb0f9c0e6490c9135d80e915d37cd32
5
reference_url https://herolab.usd.de/security-advisories/usd-2023-0020
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://herolab.usd.de/security-advisories/usd-2023-0020
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-36806
reference_id CVE-2023-36806
reference_type
scores
0
value 6.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-36806
7
reference_url https://github.com/advisories/GHSA-4gpr-p634-922x
reference_id GHSA-4gpr-p634-922x
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-4gpr-p634-922x
8
reference_url https://github.com/contao/contao/security/advisories/GHSA-4gpr-p634-922x
reference_id GHSA-4gpr-p634-922x
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
1
value 6.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L
2
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
3
value MODERATE
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-23T18:55:31Z/
url https://github.com/contao/contao/security/advisories/GHSA-4gpr-p634-922x
9
reference_url https://herolab.usd.de/security-advisories/usd-2023-0020/
reference_id usd-2023-0020
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-23T18:55:31Z/
url https://herolab.usd.de/security-advisories/usd-2023-0020/
fixed_packages
0
url pkg:composer/contao/core-bundle@4.9.42
purl pkg:composer/contao/core-bundle@4.9.42
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2w7m-mb7e-tqe6
1
vulnerability VCID-f1az-1ejn-53f7
2
vulnerability VCID-f8ny-db5g-pkhw
3
vulnerability VCID-gzzh-6ysu-9yey
4
vulnerability VCID-h8k9-qw2h-zyd2
5
vulnerability VCID-jbcs-b2p9-myhz
6
vulnerability VCID-jzx2-et8q-7qhm
7
vulnerability VCID-n4wc-kknf-hffb
8
vulnerability VCID-r1h5-ag74-dbaw
9
vulnerability VCID-wyd5-t8at-8bba
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/contao/core-bundle@4.9.42
1
url pkg:composer/contao/core-bundle@4.10.0-RC1
purl pkg:composer/contao/core-bundle@4.10.0-RC1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2w7m-mb7e-tqe6
1
vulnerability VCID-f1az-1ejn-53f7
2
vulnerability VCID-f8ny-db5g-pkhw
3
vulnerability VCID-gzzh-6ysu-9yey
4
vulnerability VCID-h8k9-qw2h-zyd2
5
vulnerability VCID-jbcs-b2p9-myhz
6
vulnerability VCID-jzx2-et8q-7qhm
7
vulnerability VCID-n4wc-kknf-hffb
8
vulnerability VCID-qvqr-t2ka-zybq
9
vulnerability VCID-r1h5-ag74-dbaw
10
vulnerability VCID-wyd5-t8at-8bba
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/contao/core-bundle@4.10.0-RC1
2
url pkg:composer/contao/core-bundle@4.13.28
purl pkg:composer/contao/core-bundle@4.13.28
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2w7m-mb7e-tqe6
1
vulnerability VCID-f1az-1ejn-53f7
2
vulnerability VCID-f8ny-db5g-pkhw
3
vulnerability VCID-gwea-1srz-9uca
4
vulnerability VCID-gzzh-6ysu-9yey
5
vulnerability VCID-h8k9-qw2h-zyd2
6
vulnerability VCID-jbcs-b2p9-myhz
7
vulnerability VCID-jzx2-et8q-7qhm
8
vulnerability VCID-n4wc-kknf-hffb
9
vulnerability VCID-r1h5-ag74-dbaw
10
vulnerability VCID-wyd5-t8at-8bba
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/contao/core-bundle@4.13.28
3
url pkg:composer/contao/core-bundle@5.0.0-RC1
purl pkg:composer/contao/core-bundle@5.0.0-RC1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-afma-748j-uqae
1
vulnerability VCID-f1az-1ejn-53f7
2
vulnerability VCID-gzzh-6ysu-9yey
3
vulnerability VCID-jbcs-b2p9-myhz
4
vulnerability VCID-jzx2-et8q-7qhm
5
vulnerability VCID-r1h5-ag74-dbaw
6
vulnerability VCID-wyd5-t8at-8bba
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/contao/core-bundle@5.0.0-RC1
4
url pkg:composer/contao/core-bundle@5.1.10
purl pkg:composer/contao/core-bundle@5.1.10
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-afma-748j-uqae
1
vulnerability VCID-f1az-1ejn-53f7
2
vulnerability VCID-f8ny-db5g-pkhw
3
vulnerability VCID-gwea-1srz-9uca
4
vulnerability VCID-gzzh-6ysu-9yey
5
vulnerability VCID-jbcs-b2p9-myhz
6
vulnerability VCID-jzx2-et8q-7qhm
7
vulnerability VCID-r1h5-ag74-dbaw
8
vulnerability VCID-wyd5-t8at-8bba
9
vulnerability VCID-ycnh-mnst-duap
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/contao/core-bundle@5.1.10
5
url pkg:composer/contao/core-bundle@5.2.0-RC1
purl pkg:composer/contao/core-bundle@5.2.0-RC1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-afma-748j-uqae
1
vulnerability VCID-f1az-1ejn-53f7
2
vulnerability VCID-f8ny-db5g-pkhw
3
vulnerability VCID-gwea-1srz-9uca
4
vulnerability VCID-gzzh-6ysu-9yey
5
vulnerability VCID-jbcs-b2p9-myhz
6
vulnerability VCID-jzx2-et8q-7qhm
7
vulnerability VCID-r1h5-ag74-dbaw
8
vulnerability VCID-wyd5-t8at-8bba
9
vulnerability VCID-ycnh-mnst-duap
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/contao/core-bundle@5.2.0-RC1
aliases CVE-2023-36806, GHSA-4gpr-p634-922x
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-nepv-9985-37g4
16
url VCID-qvqr-t2ka-zybq
vulnerability_id VCID-qvqr-t2ka-zybq
summary 
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site Scripting (XSS) in GitHub repository contao/contao prior to 4.13.3. Attacker can execute Malicious JS in Application :)
references
0
reference_url https://github.com/contao/contao/commit/199206849a87ddd0fa5cf674eb3c58292fd8366c
reference_id
reference_type
scores
url https://github.com/contao/contao/commit/199206849a87ddd0fa5cf674eb3c58292fd8366c
1
reference_url https://huntr.dev/bounties/df46e285-1b7f-403c-8f6c-8819e42deb80
reference_id
reference_type
scores
url https://huntr.dev/bounties/df46e285-1b7f-403c-8f6c-8819e42deb80
2
reference_url https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/php/webapps/50945.tzt
reference_id CVE-2022-1588
reference_type exploit
scores
url https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/php/webapps/50945.tzt
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2022-1588
reference_id CVE-2022-1588
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2022-1588
fixed_packages
0
url pkg:composer/contao/core-bundle@4.13.3
purl pkg:composer/contao/core-bundle@4.13.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2w7m-mb7e-tqe6
1
vulnerability VCID-f1az-1ejn-53f7
2
vulnerability VCID-f8ny-db5g-pkhw
3
vulnerability VCID-gwea-1srz-9uca
4
vulnerability VCID-gzzh-6ysu-9yey
5
vulnerability VCID-h8k9-qw2h-zyd2
6
vulnerability VCID-jbcs-b2p9-myhz
7
vulnerability VCID-jzx2-et8q-7qhm
8
vulnerability VCID-mt93-hcnp-13ah
9
vulnerability VCID-n4wc-kknf-hffb
10
vulnerability VCID-nepv-9985-37g4
11
vulnerability VCID-r1h5-ag74-dbaw
12
vulnerability VCID-wyd5-t8at-8bba
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/contao/core-bundle@4.13.3
1
url pkg:composer/contao/core-bundle@5.5.4
purl pkg:composer/contao/core-bundle@5.5.4
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2w7m-mb7e-tqe6
1
vulnerability VCID-afma-748j-uqae
2
vulnerability VCID-f1az-1ejn-53f7
3
vulnerability VCID-p4tq-y4en-57ag
4
vulnerability VCID-r1h5-ag74-dbaw
5
vulnerability VCID-wyd5-t8at-8bba
6
vulnerability VCID-ycnh-mnst-duap
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/contao/core-bundle@5.5.4
aliases CVE-2022-1588
risk_score null
exploitability 2.0
weighted_severity 0.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-qvqr-t2ka-zybq
17
url VCID-r1h5-ag74-dbaw
vulnerability_id VCID-r1h5-ag74-dbaw
summary 
Contao is vulnerable to cross-site scripting in templates
It is possible to inject code into the template output that will be executed in the browser in the front end and back end.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-65961
reference_id
reference_type
scores
0
value 0.0002
scoring_system epss
scoring_elements 0.05685
published_at 2026-06-07T12:55:00Z
1
value 0.0002
scoring_system epss
scoring_elements 0.05699
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-65961
1
reference_url https://contao.org/en/security-advisories/cross-site-scripting-in-templates
reference_id
reference_type
scores
0
value 3.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-11-25T19:28:53Z/
url https://contao.org/en/security-advisories/cross-site-scripting-in-templates
2
reference_url https://github.com/contao/contao
reference_id
reference_type
scores
0
value 3.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/contao/contao
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-65961
reference_id CVE-2025-65961
reference_type
scores
0
value 3.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-65961
4
reference_url https://github.com/advisories/GHSA-68q5-78xp-cwwc
reference_id GHSA-68q5-78xp-cwwc
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-68q5-78xp-cwwc
5
reference_url https://github.com/contao/contao/security/advisories/GHSA-68q5-78xp-cwwc
reference_id GHSA-68q5-78xp-cwwc
reference_type
scores
0
value 3.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N
1
value LOW
scoring_system cvssv3.1_qr
scoring_elements
2
value LOW
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-11-25T19:28:53Z/
url https://github.com/contao/contao/security/advisories/GHSA-68q5-78xp-cwwc
fixed_packages
0
url pkg:composer/contao/core-bundle@4.13.57
purl pkg:composer/contao/core-bundle@4.13.57
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/contao/core-bundle@4.13.57
1
url pkg:composer/contao/core-bundle@5.3.42
purl pkg:composer/contao/core-bundle@5.3.42
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/contao/core-bundle@5.3.42
2
url pkg:composer/contao/core-bundle@5.6.5
purl pkg:composer/contao/core-bundle@5.6.5
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/contao/core-bundle@5.6.5
aliases CVE-2025-65961, GHSA-68q5-78xp-cwwc
risk_score 1.5
exploitability 0.5
weighted_severity 3.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-r1h5-ag74-dbaw
18
url VCID-rj3d-jeyz-vye5
vulnerability_id VCID-rj3d-jeyz-vye5
summary 
Improper Privilege Management
Contao is an open source CMS that allows creation of websites and scalable web applications.All users are advised to update to Contao As a workaround users may disable the form generator or disable the login for untrusted back end users.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2021-37627
reference_id
reference_type
scores
0
value 0.00485
scoring_system epss
scoring_elements 0.657
published_at 2026-06-04T12:55:00Z
1
value 0.00485
scoring_system epss
scoring_elements 0.6574
published_at 2026-06-08T12:55:00Z
2
value 0.00485
scoring_system epss
scoring_elements 0.6575
published_at 2026-06-07T12:55:00Z
3
value 0.00485
scoring_system epss
scoring_elements 0.65764
published_at 2026-06-06T12:55:00Z
4
value 0.00485
scoring_system epss
scoring_elements 0.65752
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2021-37627
1
reference_url https://contao.org/en/security-advisories/privilege-escalation-with-the-form-generator.html
reference_id
reference_type
scores
0
value 8.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://contao.org/en/security-advisories/privilege-escalation-with-the-form-generator.html
2
reference_url https://github.com/contao/contao
reference_id
reference_type
scores
0
value 8.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/contao/contao
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2021-37627
reference_id CVE-2021-37627
reference_type
scores
0
value 8.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2021-37627
4
reference_url https://github.com/FriendsOfPHP/security-advisories/blob/master/contao/contao/CVE-2021-37627.yaml
reference_id CVE-2021-37627.YAML
reference_type
scores
0
value 8.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/FriendsOfPHP/security-advisories/blob/master/contao/contao/CVE-2021-37627.yaml
5
reference_url https://github.com/FriendsOfPHP/security-advisories/blob/master/contao/core-bundle/CVE-2021-37627.yaml
reference_id CVE-2021-37627.YAML
reference_type
scores
0
value 8.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/FriendsOfPHP/security-advisories/blob/master/contao/core-bundle/CVE-2021-37627.yaml
6
reference_url https://github.com/advisories/GHSA-hq5m-mqmx-fw6m
reference_id GHSA-hq5m-mqmx-fw6m
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-hq5m-mqmx-fw6m
7
reference_url https://github.com/contao/contao/security/advisories/GHSA-hq5m-mqmx-fw6m
reference_id GHSA-hq5m-mqmx-fw6m
reference_type
scores
0
value 8.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/contao/contao/security/advisories/GHSA-hq5m-mqmx-fw6m
fixed_packages
0
url pkg:composer/contao/core-bundle@4.4.56
purl pkg:composer/contao/core-bundle@4.4.56
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2w7m-mb7e-tqe6
1
vulnerability VCID-f8ny-db5g-pkhw
2
vulnerability VCID-h8k9-qw2h-zyd2
3
vulnerability VCID-jbcs-b2p9-myhz
4
vulnerability VCID-jzx2-et8q-7qhm
5
vulnerability VCID-mt93-hcnp-13ah
6
vulnerability VCID-n4wc-kknf-hffb
7
vulnerability VCID-nepv-9985-37g4
8
vulnerability VCID-qvqr-t2ka-zybq
9
vulnerability VCID-r1h5-ag74-dbaw
10
vulnerability VCID-rj3d-jeyz-vye5
11
vulnerability VCID-t2u3-tgg3-cbb9
12
vulnerability VCID-wyd5-t8at-8bba
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/contao/core-bundle@4.4.56
1
url pkg:composer/contao/core-bundle@4.5.0-RC1
purl pkg:composer/contao/core-bundle@4.5.0-RC1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2w7m-mb7e-tqe6
1
vulnerability VCID-f8ny-db5g-pkhw
2
vulnerability VCID-h8k9-qw2h-zyd2
3
vulnerability VCID-jbcs-b2p9-myhz
4
vulnerability VCID-jzx2-et8q-7qhm
5
vulnerability VCID-mt93-hcnp-13ah
6
vulnerability VCID-n4wc-kknf-hffb
7
vulnerability VCID-nepv-9985-37g4
8
vulnerability VCID-qvqr-t2ka-zybq
9
vulnerability VCID-r1h5-ag74-dbaw
10
vulnerability VCID-wyd5-t8at-8bba
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/contao/core-bundle@4.5.0-RC1
2
url pkg:composer/contao/core-bundle@4.9.18
purl pkg:composer/contao/core-bundle@4.9.18
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2w7m-mb7e-tqe6
1
vulnerability VCID-f1az-1ejn-53f7
2
vulnerability VCID-f8ny-db5g-pkhw
3
vulnerability VCID-gzzh-6ysu-9yey
4
vulnerability VCID-h8k9-qw2h-zyd2
5
vulnerability VCID-jbcs-b2p9-myhz
6
vulnerability VCID-jzx2-et8q-7qhm
7
vulnerability VCID-mt93-hcnp-13ah
8
vulnerability VCID-n4wc-kknf-hffb
9
vulnerability VCID-nepv-9985-37g4
10
vulnerability VCID-qvqr-t2ka-zybq
11
vulnerability VCID-r1h5-ag74-dbaw
12
vulnerability VCID-rj3d-jeyz-vye5
13
vulnerability VCID-t2u3-tgg3-cbb9
14
vulnerability VCID-wyd5-t8at-8bba
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/contao/core-bundle@4.9.18
3
url pkg:composer/contao/core-bundle@4.9.19
purl pkg:composer/contao/core-bundle@4.9.19
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2w7m-mb7e-tqe6
1
vulnerability VCID-f1az-1ejn-53f7
2
vulnerability VCID-f8ny-db5g-pkhw
3
vulnerability VCID-gzzh-6ysu-9yey
4
vulnerability VCID-h8k9-qw2h-zyd2
5
vulnerability VCID-jbcs-b2p9-myhz
6
vulnerability VCID-jzx2-et8q-7qhm
7
vulnerability VCID-mt93-hcnp-13ah
8
vulnerability VCID-n4wc-kknf-hffb
9
vulnerability VCID-nepv-9985-37g4
10
vulnerability VCID-qvqr-t2ka-zybq
11
vulnerability VCID-r1h5-ag74-dbaw
12
vulnerability VCID-wyd5-t8at-8bba
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/contao/core-bundle@4.9.19
4
url pkg:composer/contao/core-bundle@4.10.0-RC1
purl pkg:composer/contao/core-bundle@4.10.0-RC1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2w7m-mb7e-tqe6
1
vulnerability VCID-f1az-1ejn-53f7
2
vulnerability VCID-f8ny-db5g-pkhw
3
vulnerability VCID-gzzh-6ysu-9yey
4
vulnerability VCID-h8k9-qw2h-zyd2
5
vulnerability VCID-jbcs-b2p9-myhz
6
vulnerability VCID-jzx2-et8q-7qhm
7
vulnerability VCID-n4wc-kknf-hffb
8
vulnerability VCID-qvqr-t2ka-zybq
9
vulnerability VCID-r1h5-ag74-dbaw
10
vulnerability VCID-wyd5-t8at-8bba
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/contao/core-bundle@4.10.0-RC1
5
url pkg:composer/contao/core-bundle@4.11.7
purl pkg:composer/contao/core-bundle@4.11.7
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2w7m-mb7e-tqe6
1
vulnerability VCID-f1az-1ejn-53f7
2
vulnerability VCID-f8ny-db5g-pkhw
3
vulnerability VCID-gzzh-6ysu-9yey
4
vulnerability VCID-h8k9-qw2h-zyd2
5
vulnerability VCID-jbcs-b2p9-myhz
6
vulnerability VCID-jzx2-et8q-7qhm
7
vulnerability VCID-mt93-hcnp-13ah
8
vulnerability VCID-n4wc-kknf-hffb
9
vulnerability VCID-nepv-9985-37g4
10
vulnerability VCID-qvqr-t2ka-zybq
11
vulnerability VCID-r1h5-ag74-dbaw
12
vulnerability VCID-rj3d-jeyz-vye5
13
vulnerability VCID-t2u3-tgg3-cbb9
14
vulnerability VCID-wyd5-t8at-8bba
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/contao/core-bundle@4.11.7
6
url pkg:composer/contao/core-bundle@4.11.8
purl pkg:composer/contao/core-bundle@4.11.8
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2w7m-mb7e-tqe6
1
vulnerability VCID-f1az-1ejn-53f7
2
vulnerability VCID-f8ny-db5g-pkhw
3
vulnerability VCID-gzzh-6ysu-9yey
4
vulnerability VCID-h8k9-qw2h-zyd2
5
vulnerability VCID-jbcs-b2p9-myhz
6
vulnerability VCID-jzx2-et8q-7qhm
7
vulnerability VCID-mt93-hcnp-13ah
8
vulnerability VCID-n4wc-kknf-hffb
9
vulnerability VCID-nepv-9985-37g4
10
vulnerability VCID-qvqr-t2ka-zybq
11
vulnerability VCID-r1h5-ag74-dbaw
12
vulnerability VCID-wyd5-t8at-8bba
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/contao/core-bundle@4.11.8
7
url pkg:composer/contao/core-bundle@4.12.0-RC1
purl pkg:composer/contao/core-bundle@4.12.0-RC1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2w7m-mb7e-tqe6
1
vulnerability VCID-f1az-1ejn-53f7
2
vulnerability VCID-f8ny-db5g-pkhw
3
vulnerability VCID-gzzh-6ysu-9yey
4
vulnerability VCID-h8k9-qw2h-zyd2
5
vulnerability VCID-jbcs-b2p9-myhz
6
vulnerability VCID-jzx2-et8q-7qhm
7
vulnerability VCID-mt93-hcnp-13ah
8
vulnerability VCID-n4wc-kknf-hffb
9
vulnerability VCID-nepv-9985-37g4
10
vulnerability VCID-qvqr-t2ka-zybq
11
vulnerability VCID-r1h5-ag74-dbaw
12
vulnerability VCID-wyd5-t8at-8bba
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/contao/core-bundle@4.12.0-RC1
aliases CVE-2021-37627, GHSA-hq5m-mqmx-fw6m
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-rj3d-jeyz-vye5
19
url VCID-t2u3-tgg3-cbb9
vulnerability_id VCID-t2u3-tgg3-cbb9
summary 
Code Injection
Contao is an open source CMS that allows you to create websites and scalable web applications.Update to Contao to resolve. If you cannot update then disable the login for untrusted back end users.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2021-37626
reference_id
reference_type
scores
0
value 0.00492
scoring_system epss
scoring_elements 0.66006
published_at 2026-06-04T12:55:00Z
1
value 0.00492
scoring_system epss
scoring_elements 0.66042
published_at 2026-06-08T12:55:00Z
2
value 0.00492
scoring_system epss
scoring_elements 0.66054
published_at 2026-06-07T12:55:00Z
3
value 0.00492
scoring_system epss
scoring_elements 0.6607
published_at 2026-06-06T12:55:00Z
4
value 0.00492
scoring_system epss
scoring_elements 0.66058
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2021-37626
1
reference_url https://contao.org/en/security-advisories/php-file-inclusion-via-insert-tags.html
reference_id
reference_type
scores
0
value 6.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://contao.org/en/security-advisories/php-file-inclusion-via-insert-tags.html
2
reference_url https://github.com/contao/contao
reference_id
reference_type
scores
0
value 6.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/contao/contao
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2021-37626
reference_id CVE-2021-37626
reference_type
scores
0
value 6.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2021-37626
4
reference_url https://github.com/FriendsOfPHP/security-advisories/blob/master/contao/contao/CVE-2021-37626.yaml
reference_id CVE-2021-37626.YAML
reference_type
scores
0
value 6.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/FriendsOfPHP/security-advisories/blob/master/contao/contao/CVE-2021-37626.yaml
5
reference_url https://github.com/FriendsOfPHP/security-advisories/blob/master/contao/core-bundle/CVE-2021-37626.yaml
reference_id CVE-2021-37626.YAML
reference_type
scores
0
value 6.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/FriendsOfPHP/security-advisories/blob/master/contao/core-bundle/CVE-2021-37626.yaml
6
reference_url https://github.com/advisories/GHSA-r6mv-ppjc-4hgr
reference_id GHSA-r6mv-ppjc-4hgr
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-r6mv-ppjc-4hgr
7
reference_url https://github.com/contao/contao/security/advisories/GHSA-r6mv-ppjc-4hgr
reference_id GHSA-r6mv-ppjc-4hgr
reference_type
scores
0
value 6.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/contao/contao/security/advisories/GHSA-r6mv-ppjc-4hgr
fixed_packages
0
url pkg:composer/contao/core-bundle@4.4.56
purl pkg:composer/contao/core-bundle@4.4.56
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2w7m-mb7e-tqe6
1
vulnerability VCID-f8ny-db5g-pkhw
2
vulnerability VCID-h8k9-qw2h-zyd2
3
vulnerability VCID-jbcs-b2p9-myhz
4
vulnerability VCID-jzx2-et8q-7qhm
5
vulnerability VCID-mt93-hcnp-13ah
6
vulnerability VCID-n4wc-kknf-hffb
7
vulnerability VCID-nepv-9985-37g4
8
vulnerability VCID-qvqr-t2ka-zybq
9
vulnerability VCID-r1h5-ag74-dbaw
10
vulnerability VCID-rj3d-jeyz-vye5
11
vulnerability VCID-t2u3-tgg3-cbb9
12
vulnerability VCID-wyd5-t8at-8bba
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/contao/core-bundle@4.4.56
1
url pkg:composer/contao/core-bundle@4.5.0-RC1
purl pkg:composer/contao/core-bundle@4.5.0-RC1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2w7m-mb7e-tqe6
1
vulnerability VCID-f8ny-db5g-pkhw
2
vulnerability VCID-h8k9-qw2h-zyd2
3
vulnerability VCID-jbcs-b2p9-myhz
4
vulnerability VCID-jzx2-et8q-7qhm
5
vulnerability VCID-mt93-hcnp-13ah
6
vulnerability VCID-n4wc-kknf-hffb
7
vulnerability VCID-nepv-9985-37g4
8
vulnerability VCID-qvqr-t2ka-zybq
9
vulnerability VCID-r1h5-ag74-dbaw
10
vulnerability VCID-wyd5-t8at-8bba
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/contao/core-bundle@4.5.0-RC1
2
url pkg:composer/contao/core-bundle@4.9.18
purl pkg:composer/contao/core-bundle@4.9.18
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2w7m-mb7e-tqe6
1
vulnerability VCID-f1az-1ejn-53f7
2
vulnerability VCID-f8ny-db5g-pkhw
3
vulnerability VCID-gzzh-6ysu-9yey
4
vulnerability VCID-h8k9-qw2h-zyd2
5
vulnerability VCID-jbcs-b2p9-myhz
6
vulnerability VCID-jzx2-et8q-7qhm
7
vulnerability VCID-mt93-hcnp-13ah
8
vulnerability VCID-n4wc-kknf-hffb
9
vulnerability VCID-nepv-9985-37g4
10
vulnerability VCID-qvqr-t2ka-zybq
11
vulnerability VCID-r1h5-ag74-dbaw
12
vulnerability VCID-rj3d-jeyz-vye5
13
vulnerability VCID-t2u3-tgg3-cbb9
14
vulnerability VCID-wyd5-t8at-8bba
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/contao/core-bundle@4.9.18
3
url pkg:composer/contao/core-bundle@4.9.19
purl pkg:composer/contao/core-bundle@4.9.19
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2w7m-mb7e-tqe6
1
vulnerability VCID-f1az-1ejn-53f7
2
vulnerability VCID-f8ny-db5g-pkhw
3
vulnerability VCID-gzzh-6ysu-9yey
4
vulnerability VCID-h8k9-qw2h-zyd2
5
vulnerability VCID-jbcs-b2p9-myhz
6
vulnerability VCID-jzx2-et8q-7qhm
7
vulnerability VCID-mt93-hcnp-13ah
8
vulnerability VCID-n4wc-kknf-hffb
9
vulnerability VCID-nepv-9985-37g4
10
vulnerability VCID-qvqr-t2ka-zybq
11
vulnerability VCID-r1h5-ag74-dbaw
12
vulnerability VCID-wyd5-t8at-8bba
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/contao/core-bundle@4.9.19
4
url pkg:composer/contao/core-bundle@4.10.0-RC1
purl pkg:composer/contao/core-bundle@4.10.0-RC1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2w7m-mb7e-tqe6
1
vulnerability VCID-f1az-1ejn-53f7
2
vulnerability VCID-f8ny-db5g-pkhw
3
vulnerability VCID-gzzh-6ysu-9yey
4
vulnerability VCID-h8k9-qw2h-zyd2
5
vulnerability VCID-jbcs-b2p9-myhz
6
vulnerability VCID-jzx2-et8q-7qhm
7
vulnerability VCID-n4wc-kknf-hffb
8
vulnerability VCID-qvqr-t2ka-zybq
9
vulnerability VCID-r1h5-ag74-dbaw
10
vulnerability VCID-wyd5-t8at-8bba
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/contao/core-bundle@4.10.0-RC1
5
url pkg:composer/contao/core-bundle@4.11.7
purl pkg:composer/contao/core-bundle@4.11.7
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2w7m-mb7e-tqe6
1
vulnerability VCID-f1az-1ejn-53f7
2
vulnerability VCID-f8ny-db5g-pkhw
3
vulnerability VCID-gzzh-6ysu-9yey
4
vulnerability VCID-h8k9-qw2h-zyd2
5
vulnerability VCID-jbcs-b2p9-myhz
6
vulnerability VCID-jzx2-et8q-7qhm
7
vulnerability VCID-mt93-hcnp-13ah
8
vulnerability VCID-n4wc-kknf-hffb
9
vulnerability VCID-nepv-9985-37g4
10
vulnerability VCID-qvqr-t2ka-zybq
11
vulnerability VCID-r1h5-ag74-dbaw
12
vulnerability VCID-rj3d-jeyz-vye5
13
vulnerability VCID-t2u3-tgg3-cbb9
14
vulnerability VCID-wyd5-t8at-8bba
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/contao/core-bundle@4.11.7
6
url pkg:composer/contao/core-bundle@4.11.8
purl pkg:composer/contao/core-bundle@4.11.8
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2w7m-mb7e-tqe6
1
vulnerability VCID-f1az-1ejn-53f7
2
vulnerability VCID-f8ny-db5g-pkhw
3
vulnerability VCID-gzzh-6ysu-9yey
4
vulnerability VCID-h8k9-qw2h-zyd2
5
vulnerability VCID-jbcs-b2p9-myhz
6
vulnerability VCID-jzx2-et8q-7qhm
7
vulnerability VCID-mt93-hcnp-13ah
8
vulnerability VCID-n4wc-kknf-hffb
9
vulnerability VCID-nepv-9985-37g4
10
vulnerability VCID-qvqr-t2ka-zybq
11
vulnerability VCID-r1h5-ag74-dbaw
12
vulnerability VCID-wyd5-t8at-8bba
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/contao/core-bundle@4.11.8
7
url pkg:composer/contao/core-bundle@4.12.0-RC1
purl pkg:composer/contao/core-bundle@4.12.0-RC1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2w7m-mb7e-tqe6
1
vulnerability VCID-f1az-1ejn-53f7
2
vulnerability VCID-f8ny-db5g-pkhw
3
vulnerability VCID-gzzh-6ysu-9yey
4
vulnerability VCID-h8k9-qw2h-zyd2
5
vulnerability VCID-jbcs-b2p9-myhz
6
vulnerability VCID-jzx2-et8q-7qhm
7
vulnerability VCID-mt93-hcnp-13ah
8
vulnerability VCID-n4wc-kknf-hffb
9
vulnerability VCID-nepv-9985-37g4
10
vulnerability VCID-qvqr-t2ka-zybq
11
vulnerability VCID-r1h5-ag74-dbaw
12
vulnerability VCID-wyd5-t8at-8bba
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/contao/core-bundle@4.12.0-RC1
aliases CVE-2021-37626, GHSA-r6mv-ppjc-4hgr
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-t2u3-tgg3-cbb9
20
url VCID-u6sk-25yd-e7b2
vulnerability_id VCID-u6sk-25yd-e7b2
summary 
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
Contao before 4.4.52, 4.9.x before 4.9.6, and 4.10.x before 4.10.1 have Improper Input Validation. It is possible to inject insert tags in front end forms which will be replaced when the page is rendered.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2020-25768
reference_id
reference_type
scores
0
value 0.0031
scoring_system epss
scoring_elements 0.54463
published_at 2026-06-04T12:55:00Z
1
value 0.0031
scoring_system epss
scoring_elements 0.54499
published_at 2026-06-08T12:55:00Z
2
value 0.0031
scoring_system epss
scoring_elements 0.5452
published_at 2026-06-07T12:55:00Z
3
value 0.0031
scoring_system epss
scoring_elements 0.54531
published_at 2026-06-06T12:55:00Z
4
value 0.0031
scoring_system epss
scoring_elements 0.54521
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2020-25768
1
reference_url https://community.contao.org/en/forumdisplay.php?4-Announcements
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://community.contao.org/en/forumdisplay.php?4-Announcements
2
reference_url https://contao.org/en/security-advisories/insert-tag-injection-in-forms.html
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://contao.org/en/security-advisories/insert-tag-injection-in-forms.html
3
reference_url https://github.com/contao/contao
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/contao/contao
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2020-25768
reference_id CVE-2020-25768
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2020-25768
5
reference_url https://github.com/FriendsOfPHP/security-advisories/blob/master/contao/contao/CVE-2020-25768.yaml
reference_id CVE-2020-25768.YAML
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/FriendsOfPHP/security-advisories/blob/master/contao/contao/CVE-2020-25768.yaml
6
reference_url https://github.com/FriendsOfPHP/security-advisories/blob/master/contao/core-bundle/CVE-2020-25768.yaml
reference_id CVE-2020-25768.YAML
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/FriendsOfPHP/security-advisories/blob/master/contao/core-bundle/CVE-2020-25768.yaml
7
reference_url https://github.com/advisories/GHSA-f7wm-x4gw-6m23
reference_id GHSA-f7wm-x4gw-6m23
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-f7wm-x4gw-6m23
8
reference_url https://github.com/contao/contao/security/advisories/GHSA-f7wm-x4gw-6m23
reference_id GHSA-f7wm-x4gw-6m23
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/contao/contao/security/advisories/GHSA-f7wm-x4gw-6m23
fixed_packages
0
url pkg:composer/contao/core-bundle@4.4.52
purl pkg:composer/contao/core-bundle@4.4.52
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2w7m-mb7e-tqe6
1
vulnerability VCID-82d1-8yn8-sydv
2
vulnerability VCID-f8ny-db5g-pkhw
3
vulnerability VCID-h8k9-qw2h-zyd2
4
vulnerability VCID-jbcs-b2p9-myhz
5
vulnerability VCID-jzx2-et8q-7qhm
6
vulnerability VCID-mt93-hcnp-13ah
7
vulnerability VCID-n4wc-kknf-hffb
8
vulnerability VCID-nepv-9985-37g4
9
vulnerability VCID-qvqr-t2ka-zybq
10
vulnerability VCID-r1h5-ag74-dbaw
11
vulnerability VCID-rj3d-jeyz-vye5
12
vulnerability VCID-t2u3-tgg3-cbb9
13
vulnerability VCID-wyd5-t8at-8bba
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/contao/core-bundle@4.4.52
1
url pkg:composer/contao/core-bundle@4.9.6
purl pkg:composer/contao/core-bundle@4.9.6
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2w7m-mb7e-tqe6
1
vulnerability VCID-82d1-8yn8-sydv
2
vulnerability VCID-azpb-eq6c-e7bw
3
vulnerability VCID-f8ny-db5g-pkhw
4
vulnerability VCID-gzzh-6ysu-9yey
5
vulnerability VCID-h8k9-qw2h-zyd2
6
vulnerability VCID-jbcs-b2p9-myhz
7
vulnerability VCID-jzx2-et8q-7qhm
8
vulnerability VCID-mt93-hcnp-13ah
9
vulnerability VCID-n4wc-kknf-hffb
10
vulnerability VCID-nepv-9985-37g4
11
vulnerability VCID-qvqr-t2ka-zybq
12
vulnerability VCID-r1h5-ag74-dbaw
13
vulnerability VCID-rj3d-jeyz-vye5
14
vulnerability VCID-t2u3-tgg3-cbb9
15
vulnerability VCID-wyd5-t8at-8bba
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/contao/core-bundle@4.9.6
2
url pkg:composer/contao/core-bundle@4.10.1
purl pkg:composer/contao/core-bundle@4.10.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2w7m-mb7e-tqe6
1
vulnerability VCID-82d1-8yn8-sydv
2
vulnerability VCID-azpb-eq6c-e7bw
3
vulnerability VCID-f1az-1ejn-53f7
4
vulnerability VCID-f8ny-db5g-pkhw
5
vulnerability VCID-gzzh-6ysu-9yey
6
vulnerability VCID-h8k9-qw2h-zyd2
7
vulnerability VCID-jbcs-b2p9-myhz
8
vulnerability VCID-jzx2-et8q-7qhm
9
vulnerability VCID-mt93-hcnp-13ah
10
vulnerability VCID-n4wc-kknf-hffb
11
vulnerability VCID-nepv-9985-37g4
12
vulnerability VCID-qvqr-t2ka-zybq
13
vulnerability VCID-r1h5-ag74-dbaw
14
vulnerability VCID-rj3d-jeyz-vye5
15
vulnerability VCID-t2u3-tgg3-cbb9
16
vulnerability VCID-wyd5-t8at-8bba
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/contao/core-bundle@4.10.1
aliases CVE-2020-25768, GHSA-f7wm-x4gw-6m23
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-u6sk-25yd-e7b2
21
url VCID-wyd5-t8at-8bba
vulnerability_id VCID-wyd5-t8at-8bba
summary 
Contao is vulnerable to remote code execution in template closures
Backend users with precise control over the contents of template closures can execute arbitrary PHP functions that do not have required parameters.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-65960
reference_id
reference_type
scores
0
value 0.0002
scoring_system epss
scoring_elements 0.05715
published_at 2026-06-07T12:55:00Z
1
value 0.0002
scoring_system epss
scoring_elements 0.05714
published_at 2026-06-06T12:55:00Z
2
value 0.0002
scoring_system epss
scoring_elements 0.05728
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-65960
1
reference_url https://contao.org/en/security-advisories/remote-code-execution-in-template-closures
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-11-25T19:59:53Z/
url https://contao.org/en/security-advisories/remote-code-execution-in-template-closures
2
reference_url https://github.com/contao/contao
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/contao/contao
3
reference_url https://github.com/contao/contao/commit/577d7fdd5b1ca84f65f034ff556865422f0a3bd1
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/contao/contao/commit/577d7fdd5b1ca84f65f034ff556865422f0a3bd1
4
reference_url https://github.com/contao/contao/commit/676f0855d39007ac9a0dbe7ae6a7414cba2312a5
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/contao/contao/commit/676f0855d39007ac9a0dbe7ae6a7414cba2312a5
5
reference_url https://github.com/contao/contao/commit/ebf84c90e5679a67060f396b924ce4a3c3f206b3
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/contao/contao/commit/ebf84c90e5679a67060f396b924ce4a3c3f206b3
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-65960
reference_id CVE-2025-65960
reference_type
scores
0
value 6.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-65960
7
reference_url https://github.com/advisories/GHSA-98vj-mm79-v77r
reference_id GHSA-98vj-mm79-v77r
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-98vj-mm79-v77r
8
reference_url https://github.com/contao/contao/security/advisories/GHSA-98vj-mm79-v77r
reference_id GHSA-98vj-mm79-v77r
reference_type
scores
0
value 6.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-11-25T19:59:53Z/
url https://github.com/contao/contao/security/advisories/GHSA-98vj-mm79-v77r
fixed_packages
0
url pkg:composer/contao/core-bundle@4.13.57
purl pkg:composer/contao/core-bundle@4.13.57
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/contao/core-bundle@4.13.57
1
url pkg:composer/contao/core-bundle@5.3.42
purl pkg:composer/contao/core-bundle@5.3.42
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/contao/core-bundle@5.3.42
2
url pkg:composer/contao/core-bundle@5.6.5
purl pkg:composer/contao/core-bundle@5.6.5
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/contao/core-bundle@5.6.5
aliases CVE-2025-65960, GHSA-98vj-mm79-v77r
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-wyd5-t8at-8bba
Fixing_vulnerabilities
Risk_score4.5
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:composer/contao/core-bundle@4.2.0