Contao/contao

This hub aggregates every CVE we track for Contao/contao, a product in the oss libraries space. Use it to gauge the current risk picture and drill into individual advisories.

Severity distribution

Monthly trend

The 15 most recently published vulnerabilities affecting Contao/contao.

• CVE-2025-57759Contao has improper privilege management for page and article fields4.3Aug 28, 2025
• CVE-2025-57758Contao has improper access control in the back end voters4.3Aug 28, 2025
• CVE-2025-57757Contao discloses information in the news module5.3Aug 28, 2025
• CVE-2025-57756Contao discloses sensitive information in the front end search index5.3Aug 28, 2025
• CVE-2024-45965Contao before 5.5.6 allows XSS via an SVG document. This affects (in contao/core-bundle in Composer) 4.x before 4.13.54, 5.0.x through 5.3.x before 5.3.30, and 5.4.x and 5.5..x before 5.5.6.6.4Oct 2, 2024
• CVE-2023-29200contao/core-bundle has path traversal vulnerability in the file manager4.3Apr 25, 2023
• CVE-2022-24899Cross site scripting via canonical tag7.2May 5, 2022
• CVE-2021-35955Contao >=4.0.0 allows backend XSS via HTML attributes to an HTML field. Fixed in 4.4.56, 4.9.18, 4.11.7.4.8Aug 12, 2021
• CVE-2021-37627Privilege escalation via form generator8.0Aug 11, 2021
• CVE-2021-37626PHP file inclusion via insert tags7.2Aug 11, 2021
• CVE-2021-35210Contao 4.5.x through 4.9.x before 4.9.16, and 4.10.x through 4.11.x before 4.11.5, allows XSS. It is possible to inject code into the tl_log table that will be executed in the browser when the syst...6.1Jun 23, 2021
• CVE-2020-25768Contao before 4.4.52, 4.9.x before 4.9.6, and 4.10.x before 4.10.1 have Improper Input Validation. It is possible to inject insert tags in front end forms which will be replaced when the page is re...5.3Oct 7, 2020
• CVE-2018-10125Contao before 4.5.7 has XSS in the system log.6.1Mar 16, 2020
• CVE-2019-19745Contao 4.0 through 4.8.5 allows PHP local file inclusion. A back end user with access to the form generator can upload arbitrary files and execute them on the server.8.8Dec 17, 2019
• CVE-2019-19714Contao 4.8.4 and 4.8.5 has Improper Encoding or Escaping of Output. It is possible to inject insert tags into the login module which will be replaced when the page is rendered.5.3Dec 17, 2019