Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:composer/contao/contao@4.12.0-RC2

Type composer

Namespace contao

Name contao

Version 4.12.0-RC2

Qualifiers

Subpath

Is_vulnerable true

Next_non_vulnerable_version 4.13.56

Latest_non_vulnerable_version 5.6.1

Affected_by_vulnerabilities

url VCID-f1az-1ejn-53f7

vulnerability_id VCID-f1az-1ejn-53f7

summary

Contao discloses sensitive information in the front end search index
Protected content elements that are rendered as fragments are indexed and become publicly available in the front end search.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2025-57756

reference_id

reference_type

scores

value	0.00066
scoring_system	epss
scoring_elements	0.20802
published_at	2026-06-05T12:55:00Z

value	0.00066
scoring_system	epss
scoring_elements	0.20745
published_at	2026-06-07T12:55:00Z

value	0.00066
scoring_system	epss
scoring_elements	0.20789
published_at	2026-06-06T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2025-57756

reference_url

https://contao.org/en/security-advisories/information-disclosure-in-the-front-end-search-index

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-08-28T17:49:20Z/

url

https://contao.org/en/security-advisories/information-disclosure-in-the-front-end-search-index

reference_url

https://github.com/contao/contao

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/contao/contao

reference_url

https://github.com/contao/contao/commit/a03976c459b6f3985a28f6488b82a76ffb6c0514

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-08-28T17:49:20Z/

url

https://github.com/contao/contao/commit/a03976c459b6f3985a28f6488b82a76ffb6c0514

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2025-57756

reference_id

CVE-2025-57756

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2025-57756

reference_url	https://github.com/advisories/GHSA-2xmj-8wmq-7475
reference_id	GHSA-2xmj-8wmq-7475
reference_type
scores
url	https://github.com/advisories/GHSA-2xmj-8wmq-7475

reference_url

https://github.com/contao/contao/security/advisories/GHSA-2xmj-8wmq-7475

reference_id

GHSA-2xmj-8wmq-7475

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-08-28T17:49:20Z/

url

https://github.com/contao/contao/security/advisories/GHSA-2xmj-8wmq-7475

fixed_packages

url	pkg:composer/contao/contao@4.13.56
purl	pkg:composer/contao/contao@4.13.56
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:composer/contao/contao@4.13.56

url	pkg:composer/contao/contao@5.3.38
purl	pkg:composer/contao/contao@5.3.38
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:composer/contao/contao@5.3.38

url	pkg:composer/contao/contao@5.6.1
purl	pkg:composer/contao/contao@5.6.1
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:composer/contao/contao@5.6.1

aliases CVE-2025-57756, GHSA-2xmj-8wmq-7475

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-f1az-1ejn-53f7

url VCID-rgvt-jwf2-9fbr

vulnerability_id VCID-rgvt-jwf2-9fbr

summary

Duplicate Advisory: Contao allows admin an account to upload SVG file containing malicious JavaScript
## Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-vqqr-fgmh-f626. This link is maintained to preserve external references.

## Original Description

Contao 5.4.1 allows an authenticated admin account to upload a SVG file containing malicious javascript code into the target system. If the file is accessed through the website, it could lead to a Cross-Site Scripting (XSS) attack or execute arbitrary code via a crafted javascript to the target.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2024-45965

reference_id

reference_type

scores

value	0.00343
scoring_system	epss
scoring_elements	0.57233
published_at	2026-06-05T12:55:00Z

value	0.00343
scoring_system	epss
scoring_elements	0.57228
published_at	2026-06-07T12:55:00Z

value	0.00343
scoring_system	epss
scoring_elements	0.57241
published_at	2026-06-06T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2024-45965

reference_url

https://contao.org/en/security-advisories/cross-site-scripting-through-svg-uploads

reference_id

reference_type

scores

value	4.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

value	6.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

value	1.8
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P

value	LOW
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-02T20:29:10Z/

url

https://contao.org/en/security-advisories/cross-site-scripting-through-svg-uploads

reference_url

https://github.com/contao/contao

reference_id

reference_type

scores

value	4.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

value	1.8
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://github.com/contao/contao

reference_url

https://grimthereaperteam.medium.com/contao-5-4-1-malicious-file-upload-xss-in-svg-30edb8820ecb

reference_id

reference_type

scores

value	4.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

value	6.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

value	1.8
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P

value	LOW
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-02T20:29:10Z/

url

https://grimthereaperteam.medium.com/contao-5-4-1-malicious-file-upload-xss-in-svg-30edb8820ecb

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2024-45965

reference_id

CVE-2024-45965

reference_type

scores

value	4.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

value	1.8
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2024-45965

reference_url

https://github.com/advisories/GHSA-mrw8-5368-phm3

reference_id

GHSA-mrw8-5368-phm3

reference_type

scores

value	LOW
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-mrw8-5368-phm3

fixed_packages

url pkg:composer/contao/contao@5.4.2

purl pkg:composer/contao/contao@5.4.2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-afma-748j-uqae

vulnerability	VCID-f1az-1ejn-53f7

vulnerability	VCID-p4tq-y4en-57ag

vulnerability	VCID-ycnh-mnst-duap

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/contao/contao@5.4.2

aliases CVE-2024-45965, GHSA-mrw8-5368-phm3

risk_score 2.1

exploitability 0.5

weighted_severity 4.3

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-rgvt-jwf2-9fbr

Fixing_vulnerabilities

Risk_score 3.1

Resource_url http://public2.vulnerablecode.io/packages/pkg:composer/contao/contao@4.12.0-RC2

Package Instance