VulnerableCode Package Details - pkg:composer/contao/core-bundle@4.4.46

Search for packages

Vulnerability	Summary	Fixed by
VCID-u6sk-25yd-e7b2 Aliases: CVE-2020-25768 GHSA-f7wm-x4gw-6m23	Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') Contao before 4.4.52, 4.9.x before 4.9.6, and 4.10.x before 4.10.1 have Improper Input Validation. It is possible to inject insert tags in front end forms which will be replaced when the page is rendered.	4.4.52 Affected by 0 other vulnerabilities. 4.9.6 Affected by 0 other vulnerabilities. 4.10.1 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-u6sk-25yd-e7b2
Aliases:
CVE-2020-25768
GHSA-f7wm-x4gw-6m23

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') Contao before 4.4.52, 4.9.x before 4.9.6, and 4.10.x before 4.10.1 have Improper Input Validation. It is possible to inject insert tags in front end forms which will be replaced when the page is rendered.

4.4.52
Affected by 0 other vulnerabilities.

4.9.6
Affected by 0 other vulnerabilities.

4.10.1
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-98fv-kpqs-mybc	Unrestricted Upload of File with Dangerous Type Contao allows PHP local file inclusion. A back end user with access to the form generator can upload arbitrary files and execute them on the server.	CVE-2019-19745 GHSA-wjx8-cgrm-hh8p
VCID-ah8s-8q49-8qbw	Incorrect Default Permissions Contao 4.0 through 4.8.5 has Insecure Permissions. Back end users can manipulate the details view URL to show pages and articles that have not been enabled for them.	CVE-2019-19712 GHSA-4mvc-qc5w-v5qr

Vulnerability

Summary

Aliases

VCID-98fv-kpqs-mybc

Unrestricted Upload of File with Dangerous Type Contao allows PHP local file inclusion. A back end user with access to the form generator can upload arbitrary files and execute them on the server.

CVE-2019-19745
GHSA-wjx8-cgrm-hh8p

VCID-ah8s-8q49-8qbw

Incorrect Default Permissions Contao 4.0 through 4.8.5 has Insecure Permissions. Back end users can manipulate the details view URL to show pages and articles that have not been enabled for them.

CVE-2019-19712
GHSA-4mvc-qc5w-v5qr

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-04T20:39:49.844227+00:00	GitLab Importer	Affected by	VCID-u6sk-25yd-e7b2	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/contao/core-bundle/CVE-2020-25768.yml	38.6.0
2026-06-04T17:41:57.720455+00:00	GithubOSV Importer	Fixing	VCID-98fv-kpqs-mybc	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/12/GHSA-wjx8-cgrm-hh8p/GHSA-wjx8-cgrm-hh8p.json	38.6.0
2026-06-04T17:41:56.009137+00:00	GithubOSV Importer	Fixing	VCID-ah8s-8q49-8qbw	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/12/GHSA-4mvc-qc5w-v5qr/GHSA-4mvc-qc5w-v5qr.json	38.6.0
2026-06-04T16:19:42.587197+00:00	GitLab Importer	Fixing	VCID-ah8s-8q49-8qbw	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/contao/core-bundle/CVE-2019-19712.yml	38.6.0
2026-06-04T16:19:42.143018+00:00	GitLab Importer	Fixing	VCID-98fv-kpqs-mybc	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/contao/core-bundle/CVE-2019-19745.yml	38.6.0