Search for packages
| purl | pkg:composer/contao/core-bundle@5.4.0-RC2 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-afma-748j-uqae
Aliases: CVE-2025-57757 GHSA-w53m-gxvg-vx7p |
Contao can disclose sensitive information in the news module If a news feed contains protected news archives, their news items are not filtered and become publicly available in the RSS feed. |
Affected by 2 other vulnerabilities. |
|
VCID-f1az-1ejn-53f7
Aliases: CVE-2025-57756 GHSA-2xmj-8wmq-7475 |
Contao discloses sensitive information in the front end search index Protected content elements that are rendered as fragments are indexed and become publicly available in the front end search. |
Affected by 2 other vulnerabilities. |
|
VCID-p4tq-y4en-57ag
Aliases: CVE-2025-57759 GHSA-qqfq-7cpp-hcqj |
Contao does not properly manage privileges for page and article fields Under certain conditions, back end users may be able to edit fields of pages and articles without having the necessary permissions. |
Affected by 2 other vulnerabilities. |
|
VCID-r1h5-ag74-dbaw
Aliases: CVE-2025-65961 GHSA-68q5-78xp-cwwc |
Contao is vulnerable to cross-site scripting in templates It is possible to inject code into the template output that will be executed in the browser in the front end and back end. |
Affected by 0 other vulnerabilities. |
|
VCID-wyd5-t8at-8bba
Aliases: CVE-2025-65960 GHSA-98vj-mm79-v77r |
Contao is vulnerable to remote code execution in template closures Backend users with precise control over the contents of template closures can execute arbitrary PHP functions that do not have required parameters. |
Affected by 0 other vulnerabilities. |
|
VCID-ycnh-mnst-duap
Aliases: CVE-2025-57758 GHSA-7m47-r75r-cx8v |
Contao applies improper access control in the back end voters The table access voter in the back end doesn't check if a user is allowed to access the corresponding module. |
Affected by 2 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||