VulnerableCode Package Details - pkg:composer/contao/core-bundle@5.0.0-RC1

Search for packages

Vulnerability	Summary	Fixed by
VCID-afma-748j-uqae Aliases: CVE-2025-57757 GHSA-w53m-gxvg-vx7p	Contao can disclose sensitive information in the news module If a news feed contains protected news archives, their news items are not filtered and become publicly available in the RSS feed.	5.3.38 Affected by 0 other vulnerabilities. 5.6.1 Affected by 0 other vulnerabilities.
VCID-f1az-1ejn-53f7 Aliases: CVE-2025-57756 GHSA-2xmj-8wmq-7475	Contao discloses sensitive information in the front end search index Protected content elements that are rendered as fragments are indexed and become publicly available in the front end search.	5.3.38 Affected by 0 other vulnerabilities. 5.6.1 Affected by 0 other vulnerabilities.
VCID-gzzh-6ysu-9yey Aliases: CVE-2024-28235 GHSA-9jh5-qf84-x6pr	Contao: Possible cookie sharing with external domains while checking protected pages for broken links If the crawler is set to crawl protected pages, it sends the cookie header to externals URLs.	5.3.4 Affected by 0 other vulnerabilities.
VCID-jbcs-b2p9-myhz Aliases: CVE-2024-28190 GHSA-v24p-7p4j-qvvf	Contao: Cross site scripting in the file manager Users can insert malicious code into file names when uploading files, which is then executed in tooltips and popups in the backend.	5.3.4 Affected by 0 other vulnerabilities.
VCID-jzx2-et8q-7qhm Aliases: CVE-2024-28191 GHSA-747v-52c4-8vj8	Contao: Unencoded insert tags in the frontend It is possible to inject insert tags via the form generator if the submitted form data is output on the page in a specific way.	5.3.4 Affected by 0 other vulnerabilities.
VCID-r1h5-ag74-dbaw Aliases: CVE-2025-65961 GHSA-68q5-78xp-cwwc	Contao is vulnerable to cross-site scripting in templates It is possible to inject code into the template output that will be executed in the browser in the front end and back end.	5.3.42 Affected by 0 other vulnerabilities. 5.6.5 Affected by 0 other vulnerabilities.
VCID-wyd5-t8at-8bba Aliases: CVE-2025-65960 GHSA-98vj-mm79-v77r	Contao is vulnerable to remote code execution in template closures Backend users with precise control over the contents of template closures can execute arbitrary PHP functions that do not have required parameters.	5.3.42 Affected by 0 other vulnerabilities. 5.6.5 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-afma-748j-uqae
Aliases:
CVE-2025-57757
GHSA-w53m-gxvg-vx7p

Contao can disclose sensitive information in the news module If a news feed contains protected news archives, their news items are not filtered and become publicly available in the RSS feed.

5.3.38
Affected by 0 other vulnerabilities.

5.6.1
Affected by 0 other vulnerabilities.

VCID-f1az-1ejn-53f7
Aliases:
CVE-2025-57756
GHSA-2xmj-8wmq-7475

Contao discloses sensitive information in the front end search index Protected content elements that are rendered as fragments are indexed and become publicly available in the front end search.

5.3.38
Affected by 0 other vulnerabilities.

5.6.1
Affected by 0 other vulnerabilities.

VCID-gzzh-6ysu-9yey
Aliases:
CVE-2024-28235
GHSA-9jh5-qf84-x6pr

Contao: Possible cookie sharing with external domains while checking protected pages for broken links If the crawler is set to crawl protected pages, it sends the cookie header to externals URLs.

5.3.4
Affected by 0 other vulnerabilities.

VCID-jbcs-b2p9-myhz
Aliases:
CVE-2024-28190
GHSA-v24p-7p4j-qvvf

Contao: Cross site scripting in the file manager Users can insert malicious code into file names when uploading files, which is then executed in tooltips and popups in the backend.

5.3.4
Affected by 0 other vulnerabilities.

VCID-jzx2-et8q-7qhm
Aliases:
CVE-2024-28191
GHSA-747v-52c4-8vj8

Contao: Unencoded insert tags in the frontend It is possible to inject insert tags via the form generator if the submitted form data is output on the page in a specific way.

5.3.4
Affected by 0 other vulnerabilities.

VCID-r1h5-ag74-dbaw
Aliases:
CVE-2025-65961
GHSA-68q5-78xp-cwwc

Contao is vulnerable to cross-site scripting in templates It is possible to inject code into the template output that will be executed in the browser in the front end and back end.

5.3.42
Affected by 0 other vulnerabilities.

5.6.5
Affected by 0 other vulnerabilities.

VCID-wyd5-t8at-8bba
Aliases:
CVE-2025-65960
GHSA-98vj-mm79-v77r

Contao is vulnerable to remote code execution in template closures Backend users with precise control over the contents of template closures can execute arbitrary PHP functions that do not have required parameters.

5.3.42
Affected by 0 other vulnerabilities.

5.6.5
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-04T16:24:53.823650+00:00	GitLab Importer	Affected by	VCID-f1az-1ejn-53f7	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/contao/core-bundle/CVE-2025-57756.yml	38.6.0
2026-06-04T16:24:53.535502+00:00	GitLab Importer	Affected by	VCID-afma-748j-uqae	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/contao/core-bundle/CVE-2025-57757.yml	38.6.0
2026-06-02T04:48:53.061811+00:00	GitLab Importer	Affected by	VCID-r1h5-ag74-dbaw	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/contao/core-bundle/CVE-2025-65961.yml	38.6.0
2026-06-02T04:48:48.325698+00:00	GitLab Importer	Affected by	VCID-wyd5-t8at-8bba	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/contao/core-bundle/CVE-2025-65960.yml	38.6.0
2026-06-02T04:47:32.773252+00:00	GitLab Importer	Affected by	VCID-jbcs-b2p9-myhz	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/contao/core-bundle/CVE-2024-28190.yml	38.6.0
2026-06-02T04:47:32.456117+00:00	GitLab Importer	Affected by	VCID-gzzh-6ysu-9yey	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/contao/core-bundle/CVE-2024-28235.yml	38.6.0
2026-06-02T04:47:32.329859+00:00	GitLab Importer	Affected by	VCID-jzx2-et8q-7qhm	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/contao/core-bundle/CVE-2024-28191.yml	38.6.0