VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-m28p-n6vz-zuhw

Essentials
Severities (13)
References (7)
Severity details (13)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-m28p-n6vz-zuhw
Aliases	GHSA-wxxw-5gq6-j2g5
Summary	contao/core Insufficient input validation allows for code injection and remote execution contao/core versions 2.x prior to 2.11.17 and 3.x prior to 3.2.9 are vulnerable to arbitrary code execution on the server due to insufficient input validation. In fact, attackers can remove or change pathconfig.php by entering a URL, meaning that the entire Contao installation will no longer be accessible or malicious code can be executed.
Status	Published
Exploitability	0.5
Weighted Severity	9.0
Risk	4.5
Affected and Fixed Packages	Package Details

Weaknesses (2)

CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
cvssv3.1	9.0	https://c-c-a.org/aktuelles/news/details/eine-neue-kritische-sicherheitsluecke-in-contao-entdeckt
generic_textual	CRITICAL	https://c-c-a.org/aktuelles/news/details/eine-neue-kritische-sicherheitsluecke-in-contao-entdeckt
cvssv3.1_qr	CRITICAL	https://github.com/advisories/GHSA-wxxw-5gq6-j2g5
cvssv3.1	9.0	https://github.com/contao/core/commit/d45503568751a868193929ef349a49ae5e6686f0
generic_textual	CRITICAL	https://github.com/contao/core/commit/d45503568751a868193929ef349a49ae5e6686f0
cvssv3.1	9.0	https://github.com/contao/core/commit/d4a14f167e0cbb2e77c7829299e5b36f55c1ebce
generic_textual	CRITICAL	https://github.com/contao/core/commit/d4a14f167e0cbb2e77c7829299e5b36f55c1ebce
cvssv3.1	9.0	https://github.com/contao/core/issues/6855
generic_textual	CRITICAL	https://github.com/contao/core/issues/6855
cvssv3.1	9.0	https://github.com/FriendsOfPHP/security-advisories/blob/master/contao/core/2014-04-07.yaml
generic_textual	CRITICAL	https://github.com/FriendsOfPHP/security-advisories/blob/master/contao/core/2014-04-07.yaml
cvssv3.1	9.0	https://web.archive.org/web/20240214121817/https://contao.org/en/news/new-security-hole-found-in-contao
generic_textual	CRITICAL	https://web.archive.org/web/20240214121817/https://contao.org/en/news/new-security-hole-found-in-contao

Reference id	Reference type	URL
		https://c-c-a.org/aktuelles/news/details/eine-neue-kritische-sicherheitsluecke-in-contao-entdeckt
		https://github.com/contao/core/commit/d45503568751a868193929ef349a49ae5e6686f0
		https://github.com/contao/core/commit/d4a14f167e0cbb2e77c7829299e5b36f55c1ebce
		https://github.com/contao/core/issues/6855
		https://github.com/FriendsOfPHP/security-advisories/blob/master/contao/core/2014-04-07.yaml
		https://web.archive.org/web/20240214121817/https://contao.org/en/news/new-security-hole-found-in-contao
GHSA-wxxw-5gq6-j2g5		https://github.com/advisories/GHSA-wxxw-5gq6-j2g5

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H Found at https://c-c-a.org/aktuelles/news/details/eine-neue-kritische-sicherheitsluecke-in-contao-entdeckt

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H Found at https://github.com/contao/core/commit/d45503568751a868193929ef349a49ae5e6686f0

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H Found at https://github.com/contao/core/commit/d4a14f167e0cbb2e77c7829299e5b36f55c1ebce

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H Found at https://github.com/contao/core/issues/6855

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H Found at https://github.com/FriendsOfPHP/security-advisories/blob/master/contao/core/2014-04-07.yaml

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H Found at https://web.archive.org/web/20240214121817/https://contao.org/en/news/new-security-hole-found-in-contao

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

No EPSS data available for this vulnerability.

Date	Actor	Action	Source	VulnerableCode Version
2026-06-04T16:21:42.639476+00:00	GitLab Importer	Import	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/contao/core/GHSA-wxxw-5gq6-j2g5.yml	38.6.0