VulnerableCode Package Details - pkg:composer/contao/core-bundle@5.3.38

Search for packages

Vulnerability	Summary	Fixed by
VCID-r1h5-ag74-dbaw Aliases: CVE-2025-65961 GHSA-68q5-78xp-cwwc	Contao is vulnerable to cross-site scripting in templates It is possible to inject code into the template output that will be executed in the browser in the front end and back end.	5.3.42 Affected by 0 other vulnerabilities. 5.6.5 Affected by 0 other vulnerabilities.
VCID-wyd5-t8at-8bba Aliases: CVE-2025-65960 GHSA-98vj-mm79-v77r	Contao is vulnerable to remote code execution in template closures Backend users with precise control over the contents of template closures can execute arbitrary PHP functions that do not have required parameters.	5.3.42 Affected by 0 other vulnerabilities. 5.6.5 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-r1h5-ag74-dbaw
Aliases:
CVE-2025-65961
GHSA-68q5-78xp-cwwc

Contao is vulnerable to cross-site scripting in templates It is possible to inject code into the template output that will be executed in the browser in the front end and back end.

5.3.42
Affected by 0 other vulnerabilities.

5.6.5
Affected by 0 other vulnerabilities.

VCID-wyd5-t8at-8bba
Aliases:
CVE-2025-65960
GHSA-98vj-mm79-v77r

Contao is vulnerable to remote code execution in template closures Backend users with precise control over the contents of template closures can execute arbitrary PHP functions that do not have required parameters.

5.3.42
Affected by 0 other vulnerabilities.

5.6.5
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-afma-748j-uqae	Contao can disclose sensitive information in the news module If a news feed contains protected news archives, their news items are not filtered and become publicly available in the RSS feed.	CVE-2025-57757 GHSA-w53m-gxvg-vx7p
VCID-f1az-1ejn-53f7	Contao discloses sensitive information in the front end search index Protected content elements that are rendered as fragments are indexed and become publicly available in the front end search.	CVE-2025-57756 GHSA-2xmj-8wmq-7475
VCID-p4tq-y4en-57ag	Contao does not properly manage privileges for page and article fields Under certain conditions, back end users may be able to edit fields of pages and articles without having the necessary permissions.	CVE-2025-57759 GHSA-qqfq-7cpp-hcqj
VCID-ycnh-mnst-duap	Contao applies improper access control in the back end voters The table access voter in the back end doesn't check if a user is allowed to access the corresponding module.	CVE-2025-57758 GHSA-7m47-r75r-cx8v

Vulnerability

Summary

Aliases

VCID-afma-748j-uqae

Contao can disclose sensitive information in the news module If a news feed contains protected news archives, their news items are not filtered and become publicly available in the RSS feed.

CVE-2025-57757
GHSA-w53m-gxvg-vx7p

VCID-f1az-1ejn-53f7

Contao discloses sensitive information in the front end search index Protected content elements that are rendered as fragments are indexed and become publicly available in the front end search.

CVE-2025-57756
GHSA-2xmj-8wmq-7475

VCID-p4tq-y4en-57ag

Contao does not properly manage privileges for page and article fields Under certain conditions, back end users may be able to edit fields of pages and articles without having the necessary permissions.

CVE-2025-57759
GHSA-qqfq-7cpp-hcqj

VCID-ycnh-mnst-duap

Contao applies improper access control in the back end voters The table access voter in the back end doesn't check if a user is allowed to access the corresponding module.

CVE-2025-57758
GHSA-7m47-r75r-cx8v

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-06T06:26:10.751322+00:00	GitLab Importer	Affected by	VCID-r1h5-ag74-dbaw	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/contao/core-bundle/CVE-2025-65961.yml	38.6.0
2026-06-06T06:25:06.017027+00:00	GitLab Importer	Affected by	VCID-wyd5-t8at-8bba	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/contao/core-bundle/CVE-2025-65960.yml	38.6.0
2026-06-04T17:12:04.248067+00:00	GithubOSV Importer	Fixing	VCID-afma-748j-uqae	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/08/GHSA-w53m-gxvg-vx7p/GHSA-w53m-gxvg-vx7p.json	38.6.0
2026-06-04T17:11:39.707359+00:00	GithubOSV Importer	Fixing	VCID-p4tq-y4en-57ag	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/08/GHSA-qqfq-7cpp-hcqj/GHSA-qqfq-7cpp-hcqj.json	38.6.0
2026-06-04T17:11:22.489756+00:00	GithubOSV Importer	Fixing	VCID-f1az-1ejn-53f7	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/08/GHSA-2xmj-8wmq-7475/GHSA-2xmj-8wmq-7475.json	38.6.0
2026-06-04T17:11:09.295739+00:00	GithubOSV Importer	Fixing	VCID-ycnh-mnst-duap	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/08/GHSA-7m47-r75r-cx8v/GHSA-7m47-r75r-cx8v.json	38.6.0
2026-06-04T16:24:53.854915+00:00	GitLab Importer	Fixing	VCID-f1az-1ejn-53f7	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/contao/core-bundle/CVE-2025-57756.yml	38.6.0
2026-06-04T16:24:53.550290+00:00	GitLab Importer	Fixing	VCID-afma-748j-uqae	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/contao/core-bundle/CVE-2025-57757.yml	38.6.0
2026-06-04T16:24:53.483623+00:00	GitLab Importer	Fixing	VCID-ycnh-mnst-duap	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/contao/core-bundle/CVE-2025-57758.yml	38.6.0
2026-06-04T16:24:53.364311+00:00	GitLab Importer	Fixing	VCID-p4tq-y4en-57ag	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/contao/core-bundle/CVE-2025-57759.yml	38.6.0