Search for packages
| purl | pkg:composer/contao/core-bundle@5.3.16 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-37bz-3y5f-k3ca
Aliases: CVE-2025-65961 GHSA-68q5-78xp-cwwc |
Contao is an Open Source CMS. From version 4.0.0 to before 4.13.57, before 5.3.42, and before 5.6.5, it is possible to inject code into the template output that will be executed in the browser in the front end and back end. This issue has been patched in versions 4.13.57, 5.3.42, and 5.6.5. A workaround for this issue involves not using the affected templates or patch them manually. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-4s26-ndpg-jkcy
Aliases: CVE-2025-57759 GHSA-qqfq-7cpp-hcqj |
Contao is an Open Source CMS. In versions starting from 5.3.0 and prior to 5.3.38 and 5.6.1, under certain conditions, back end users may be able to edit fields of pages and articles without having the necessary permissions. This issue has been patched in versions 5.3.38 and 5.6.1. There are no workarounds. |
Affected by 2 other vulnerabilities. Affected by 2 other vulnerabilities. |
|
VCID-9fgc-p6aq-vygh
Aliases: CVE-2025-57756 GHSA-2xmj-8wmq-7475 |
Contao is an Open Source CMS. In versions starting from 4.9.14 and prior to 4.13.56, 5.3.38, and 5.6.1, protected content elements that are rendered as fragments are indexed and become publicly available in the front end search. This issue has been patched in versions 4.13.56, 5.3.38, and 5.6.1. A workaround involves disabling the front end search. |
Affected by 2 other vulnerabilities. Affected by 2 other vulnerabilities. |
|
VCID-bmg9-saw6-efhd
Aliases: CVE-2025-57758 GHSA-7m47-r75r-cx8v |
Contao is an Open Source CMS. In versions starting from 5.0.0 and prior to 5.3.38 and 5.6.1, the table access voter in the back end doesn't check if a user is allowed to access the corresponding module. This issue has been patched in versions 5.3.38 and 5.6.1. A workaround involves not relying solely on the voter and additionally to check USER_CAN_ACCESS_MODULE. |
Affected by 2 other vulnerabilities. Affected by 2 other vulnerabilities. |
|
VCID-tchf-hfgv-e3ca
Aliases: CVE-2025-65960 GHSA-98vj-mm79-v77r |
Contao is an Open Source CMS. From version 4.0.0 to before 4.13.57, before 5.3.42, and before 5.6.5, back end users with precise control over the contents of template closures can execute arbitrary PHP functions that do not have required parameters. This issue has been patched in versions 4.13.57, 5.3.42, and 5.6.5. A workaround for this issue involves manually patching the Contao\Template::once() method. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-ubr4-jj9v-3kcx
Aliases: CVE-2025-29790 GHSA-vqqr-fgmh-f626 |
Contao is an Open Source CMS. Users can upload SVG files with malicious code, which is then executed in the back end and/or front end. This vulnerability is fixed in Contao 4.13.54, 5.3.30, or 5.5.6. |
Affected by 6 other vulnerabilities. Affected by 6 other vulnerabilities. Affected by 6 other vulnerabilities. |
|
VCID-w65y-66s4-qbgy
Aliases: CVE-2025-57757 GHSA-w53m-gxvg-vx7p |
Contao is an Open Source CMS. In versions starting from 5.0.0 and prior to 5.3.38 and 5.6.1, if a news feed contains protected news archives, their news items are not filtered and become publicly available in the RSS feed. This issue has been patched in versions 5.3.38 and 5.6.1. A workaround involves not adding protected news archives to the news feed page. |
Affected by 2 other vulnerabilities. Affected by 2 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||