VulnerableCode Package Details - pkg:composer/contao/core@2.9.1

Vulnerabilities affecting this package (8)

Vulnerability	Summary	Fixed by
VCID-5639-8xt3-8ugc Aliases: GMS-2014-36	Improper Input Validation Insufficient input validation allows for code injection and remote execution.	2.11.17 Affected by 5 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 3.2.9 Affected by 6 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 3.2.11 Affected by 6 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-6bch-mqbz-bqfs Aliases: CVE-2018-5478 GHSA-mpg7-2rx9-h5qp	XSS vulnerability in the newsletter extension The vulnerability is in the "unsubscribe" module of the newsletter extension and can easily be exploited by anyone in the front end. If you are not using the newsletter extension or the "unsubscribe" module, your installation is not affected by the vulnerability.	3.5.32 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-6um8-6hqz-uybm Aliases: CVE-2017-16558 GHSA-w38g-hj45-mjjp	SQL injection vulnerability Both the search filter in the back end and the "listing" module in the front end are vulnerable to SQL injection. To exploit the vulnerability in the back end, a back end user has to be logged in, whereas the front end vulnerability can be exploited by anyone.	There are no reported fixed by versions.
VCID-crsc-bhc9-y3f9 Aliases: CVE-2017-10993 GHSA-x5g4-crxq-qxjx	PHP file inclusion vulnerability in the back end A logged in back end user can include arbitrary PHP files by manipulating an URL parameter. Since Contao does not allow to upload PHP files in the file manager, the attack is limited to the existing PHP files on the server.	3.5.28 Affected by 4 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-epmj-qf23-xffd Aliases: CVE-2018-10125 GHSA-pj4j-287j-f742	XSS in system log of back end There's a Cross-Site Scripting (XSS) vulnerability in system log of back end. With a manipulated request, an attacker can implant a script which is executed when a logged in back end user opens the system log. The attacker themselves does not have to be logged in.	3.5.35 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-stup-et3v-5kgp Aliases: CVE-2015-0269 GHSA-4r6g-xhx7-fm36	Path Traversal Directory traversal vulnerability in Contao allows remote authenticated `back end` users to view files outside their file mounts or the document root via unspecified vectors.	3.0.0 Affected by 10 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 3.2.19 Affected by 6 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 3.4.4 Affected by 6 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-u721-yafq-bkc7 Aliases: GMS-2014-35	Code Injection PHP object injection vulnerability allows for arbitrary code execution.	2.11.16 Affected by 6 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 3.2.7 Affected by 7 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-zexf-zd22-nkfp Aliases: CVE-2012-4383 GHSA-9jq2-jvwc-p52f	Contao core SQL Injection Vulnerability Contao core prior to 2.11.4 has a SQL injection vulnerability in `contao-2.11.3\system\modules\backend\Ajax.php`	2.11.4 Affected by 7 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}

Next non-vulnerable version	None.
Latest non-vulnerable version	None.
Risk	4.5

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-06T01:42:21.146169+00:00	GitLab Importer	Affected by	VCID-zexf-zd22-nkfp	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/contao/core/CVE-2012-4383.yml	38.6.0
2026-06-04T20:21:11.642694+00:00	GitLab Importer	Affected by	VCID-6um8-6hqz-uybm	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/contao/core/CVE-2017-16558.yml	38.6.0
2026-06-04T20:11:52.886037+00:00	GitLab Importer	Affected by	VCID-epmj-qf23-xffd	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/contao/core/CVE-2018-10125.yml	38.6.0
2026-06-04T20:10:53.695860+00:00	GitLab Importer	Affected by	VCID-6bch-mqbz-bqfs	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/contao/core/CVE-2018-5478.yml	38.6.0
2026-06-04T20:08:20.804491+00:00	GitLab Importer	Affected by	VCID-crsc-bhc9-y3f9	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/contao/core/CVE-2017-10993.yml	38.6.0
2026-06-04T20:08:06.778857+00:00	GitLab Importer	Affected by	VCID-stup-et3v-5kgp	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/contao/core/CVE-2015-0269.yml	38.6.0
2026-06-04T20:04:05.846090+00:00	GitLab Importer	Affected by	VCID-5639-8xt3-8ugc	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/contao/core/GMS-2014-36.yml	38.6.0
2026-06-04T20:03:58.076217+00:00	GitLab Importer	Affected by	VCID-u721-yafq-bkc7	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/contao/core/GMS-2014-35.yml	38.6.0