Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:composer/contao/core@3.2.13
purl pkg:composer/contao/core@3.2.13
Next non-vulnerable version None.
Latest non-vulnerable version None.
Risk 4.0
Vulnerabilities affecting this package (6)
Vulnerability Summary Fixed by
VCID-8nqr-2rzv-ufh3
Aliases:
CVE-2019-10641
GHSA-vcgg-hp4r-87gx
Weak Password Recovery Mechanism for Forgotten Password Contao has a Weak Password Recovery Mechanism for a Forgotten Password.
3.5.39
Affected by 1 other vulnerability.
VCID-995h-hgjt-fbdn
Aliases:
CVE-2016-4567
GHSA-277w-qpxr-2549
Cross-site Scripting Cross-site scripting (XSS) vulnerability in `flash/FlashMediaElement.as` in `MediaElement.js` allows remote attackers to inject arbitrary web script or HTML via an obfuscated form of the `jsinitfunction` parameter, as demonstrated by `jsinitfunctio%gn`."
3.5.15
Affected by 5 other vulnerabilities.
VCID-9w2a-7f49-13hy
Aliases:
CVE-2018-5478
GHSA-mpg7-2rx9-h5qp
XSS vulnerability in the newsletter extension The vulnerability is in the "unsubscribe" module of the newsletter extension and can easily be exploited by anyone in the front end. If you are not using the newsletter extension or the "unsubscribe" module, your installation is not affected by the vulnerability.
3.5.32
Affected by 3 other vulnerabilities.
VCID-hcak-ajk5-nka1
Aliases:
CVE-2017-16558
GHSA-w38g-hj45-mjjp
SQL injection vulnerability Both the search filter in the back end and the "listing" module in the front end are vulnerable to SQL injection. To exploit the vulnerability in the back end, a back end user has to be logged in, whereas the front end vulnerability can be exploited by anyone. There are no reported fixed by versions.
VCID-hzu7-kuxn-5fec
Aliases:
CVE-2017-10993
GHSA-x5g4-crxq-qxjx
PHP file inclusion vulnerability in the back end A logged in back end user can include arbitrary PHP files by manipulating an URL parameter. Since Contao does not allow to upload PHP files in the file manager, the attack is limited to the existing PHP files on the server.
3.5.28
Affected by 4 other vulnerabilities.
VCID-k1t6-91wr-xqc2
Aliases:
CVE-2018-10125
GHSA-pj4j-287j-f742
XSS in system log of back end There's a Cross-Site Scripting (XSS) vulnerability in system log of back end. With a manipulated request, an attacker can implant a script which is executed when a logged in back end user opens the system log. The attacker themselves does not have to be logged in.
3.5.35
Affected by 2 other vulnerabilities.
Vulnerabilities fixed by this package (0)
Vulnerability Summary Aliases
This package is not known to fix vulnerabilities.

Date Actor Action Vulnerability Source VulnerableCode Version
2026-05-31T09:56:01.741656+00:00 GitLab Importer Affected by VCID-hcak-ajk5-nka1 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/contao/core/CVE-2017-16558.yml 38.6.0
2026-05-31T09:55:47.714050+00:00 GitLab Importer Affected by VCID-8nqr-2rzv-ufh3 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/contao/core/CVE-2019-10641.yml 38.6.0
2026-05-31T09:44:17.155157+00:00 GitLab Importer Affected by VCID-k1t6-91wr-xqc2 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/contao/core/CVE-2018-10125.yml 38.6.0
2026-05-31T09:42:48.441271+00:00 GitLab Importer Affected by VCID-9w2a-7f49-13hy https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/contao/core/CVE-2018-5478.yml 38.6.0
2026-05-31T09:39:01.320398+00:00 GitLab Importer Affected by VCID-hzu7-kuxn-5fec https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/contao/core/CVE-2017-10993.yml 38.6.0
2026-05-31T09:35:36.322911+00:00 GitLab Importer Affected by VCID-995h-hgjt-fbdn https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/contao/core/CVE-2016-4567.yml 38.6.0