VulnerableCode Package Details - pkg:composer/contao/core-bundle@4.4.39

Search for packages

Vulnerability	Summary	Fixed by
VCID-98fv-kpqs-mybc Aliases: CVE-2019-19745 GHSA-wjx8-cgrm-hh8p	Unrestricted Upload of File with Dangerous Type Contao allows PHP local file inclusion. A back end user with access to the form generator can upload arbitrary files and execute them on the server.	4.4.46 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 4.5.0-RC1 Affected by 0 other vulnerabilities. 4.8.6 Affected by 0 other vulnerabilities. 5.5.4 Affected by 0 other vulnerabilities.
VCID-ah8s-8q49-8qbw Aliases: CVE-2019-19712 GHSA-4mvc-qc5w-v5qr	Incorrect Default Permissions Contao 4.0 through 4.8.5 has Insecure Permissions. Back end users can manipulate the details view URL to show pages and articles that have not been enabled for them.	4.4.46 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 4.5.0-RC1 Affected by 0 other vulnerabilities. 4.8.6 Affected by 0 other vulnerabilities. 5.5.4 Affected by 0 other vulnerabilities.
VCID-u6sk-25yd-e7b2 Aliases: CVE-2020-25768 GHSA-f7wm-x4gw-6m23	Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') Contao before 4.4.52, 4.9.x before 4.9.6, and 4.10.x before 4.10.1 have Improper Input Validation. It is possible to inject insert tags in front end forms which will be replaced when the page is rendered.	4.4.52 Affected by 0 other vulnerabilities. 4.9.6 Affected by 0 other vulnerabilities. 4.10.1 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-98fv-kpqs-mybc
Aliases:
CVE-2019-19745
GHSA-wjx8-cgrm-hh8p

Unrestricted Upload of File with Dangerous Type Contao allows PHP local file inclusion. A back end user with access to the form generator can upload arbitrary files and execute them on the server.

4.4.46
Affected by 1 other vulnerability.

4.5.0-RC1
Affected by 0 other vulnerabilities.

4.8.6
Affected by 0 other vulnerabilities.

5.5.4
Affected by 0 other vulnerabilities.

VCID-ah8s-8q49-8qbw
Aliases:
CVE-2019-19712
GHSA-4mvc-qc5w-v5qr

Incorrect Default Permissions Contao 4.0 through 4.8.5 has Insecure Permissions. Back end users can manipulate the details view URL to show pages and articles that have not been enabled for them.

4.4.46
Affected by 1 other vulnerability.

4.5.0-RC1
Affected by 0 other vulnerabilities.

4.8.6
Affected by 0 other vulnerabilities.

5.5.4
Affected by 0 other vulnerabilities.

VCID-u6sk-25yd-e7b2
Aliases:
CVE-2020-25768
GHSA-f7wm-x4gw-6m23

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') Contao before 4.4.52, 4.9.x before 4.9.6, and 4.10.x before 4.10.1 have Improper Input Validation. It is possible to inject insert tags in front end forms which will be replaced when the page is rendered.

4.4.52
Affected by 0 other vulnerabilities.

4.9.6
Affected by 0 other vulnerabilities.

4.10.1
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-3fux-z15d-13g1	Contao allows SQL Injection.	CVE-2019-11512 GHSA-vq59-x6mq-4wgw

Vulnerability

Summary

Aliases

VCID-3fux-z15d-13g1

Contao allows SQL Injection.

CVE-2019-11512
GHSA-vq59-x6mq-4wgw

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-04T20:39:49.813682+00:00	GitLab Importer	Affected by	VCID-u6sk-25yd-e7b2	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/contao/core-bundle/CVE-2020-25768.yml	38.6.0
2026-06-04T20:26:06.906451+00:00	GitLab Importer	Affected by	VCID-ah8s-8q49-8qbw	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/contao/core-bundle/CVE-2019-19712.yml	38.6.0
2026-06-04T20:26:04.064497+00:00	GitLab Importer	Affected by	VCID-98fv-kpqs-mybc	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/contao/core-bundle/CVE-2019-19745.yml	38.6.0
2026-06-04T18:04:23.030804+00:00	GithubOSV Importer	Fixing	VCID-3fux-z15d-13g1	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-vq59-x6mq-4wgw/GHSA-vq59-x6mq-4wgw.json	38.6.0
2026-06-02T04:39:25.465116+00:00	GitLab Importer	Fixing	VCID-3fux-z15d-13g1	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/contao/core-bundle/CVE-2019-11512.yml	38.6.0