VulnerableCode Package Details - pkg:composer/contao/core-bundle@4.7.7

Staging Environment: Content and features may be unstable or change without notice.

Search for packages

Package details: pkg:composer/contao/core-bundle@4.7.7

Essentials
History (6)

purl	pkg:composer/contao/core-bundle@4.7.7

Next non-vulnerable version	4.9.19
Latest non-vulnerable version	5.6.5
Risk	4.0

Vulnerabilities affecting this package (6)

Vulnerability	Summary	Fixed by
VCID-82d1-8yn8-sydv Aliases: CVE-2021-35955 GHSA-hr3h-x6gq-rqcp	Cross site scripting via HTML attributes in the back end It is possible for untrusted users to inject malicious code into HTML attributes in the back end, which will be executed both in the element preview (back end) and on the website (front end). Installations are only affected if there are untrusted back end users who have the rights to modify HTML fields (e.g. TinyMCE).	4.9.18 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 4.11.7 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-98fv-kpqs-mybc Aliases: CVE-2019-19745 GHSA-wjx8-cgrm-hh8p	Unrestricted Upload of File with Dangerous Type Contao allows PHP local file inclusion. A back end user with access to the form generator can upload arbitrary files and execute them on the server.	4.8.6 Affected by 4 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 5.5.4 Affected by 0 other vulnerabilities.
VCID-ah8s-8q49-8qbw Aliases: CVE-2019-19712 GHSA-4mvc-qc5w-v5qr	Incorrect Default Permissions Contao 4.0 through 4.8.5 has Insecure Permissions. Back end users can manipulate the details view URL to show pages and articles that have not been enabled for them.	4.8.6 Affected by 4 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 5.5.4 Affected by 0 other vulnerabilities.
VCID-azpb-eq6c-e7bw Aliases: CVE-2021-35210 GHSA-h58v-c6rf-g9f7	Cross site scripting in the system log It is possible to inject code into the `tl_log` table that will be executed in the browser when the system log is called in the back end.	4.9.16 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 4.11.5 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-rj3d-jeyz-vye5 Aliases: CVE-2021-37627 GHSA-hq5m-mqmx-fw6m	Improper Privilege Management Contao is an open source CMS that allows creation of websites and scalable web applications.All users are advised to update to Contao As a workaround users may disable the form generator or disable the login for untrusted back end users.	4.10.0-RC1 Affected by 0 other vulnerabilities. 4.12.0-RC1 Affected by 0 other vulnerabilities. 4.9.18 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 4.9.19 Affected by 0 other vulnerabilities. 4.11.7 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 4.11.8 Affected by 0 other vulnerabilities.
VCID-t2u3-tgg3-cbb9 Aliases: CVE-2021-37626 GHSA-r6mv-ppjc-4hgr	Code Injection Contao is an open source CMS that allows you to create websites and scalable web applications.Update to Contao to resolve. If you cannot update then disable the login for untrusted back end users.	4.10.0-RC1 Affected by 0 other vulnerabilities. 4.12.0-RC1 Affected by 0 other vulnerabilities. 4.9.18 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 4.9.19 Affected by 0 other vulnerabilities. 4.11.7 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 4.11.8 Affected by 0 other vulnerabilities.

Vulnerabilities fixed by this package (0)

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-06T00:53:22.653462+00:00	GitLab Importer	Affected by	VCID-82d1-8yn8-sydv	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/contao/core-bundle/CVE-2021-35955.yml	38.6.0
2026-06-06T00:50:04.062731+00:00	GitLab Importer	Affected by	VCID-t2u3-tgg3-cbb9	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/contao/core-bundle/CVE-2021-37626.yml	38.6.0
2026-06-06T00:50:00.578082+00:00	GitLab Importer	Affected by	VCID-rj3d-jeyz-vye5	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/contao/core-bundle/CVE-2021-37627.yml	38.6.0
2026-06-06T00:47:31.634840+00:00	GitLab Importer	Affected by	VCID-azpb-eq6c-e7bw	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/contao/core-bundle/CVE-2021-35210.yml	38.6.0
2026-06-04T20:26:07.015951+00:00	GitLab Importer	Affected by	VCID-ah8s-8q49-8qbw	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/contao/core-bundle/CVE-2019-19712.yml	38.6.0
2026-06-04T20:26:04.173228+00:00	GitLab Importer	Affected by	VCID-98fv-kpqs-mybc	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/contao/core-bundle/CVE-2019-19745.yml	38.6.0