Contao/core-bundle

This hub aggregates every CVE we track for Contao/core-bundle, a product in the oss libraries space. Use it to gauge the current risk picture and drill into individual advisories.

Severity distribution

Monthly trend

The 15 most recently published vulnerabilities affecting Contao/core-bundle.

• CVE-2025-65961Contao is vulnerable to cross-site scripting in templates3.3Nov 25, 2025
• CVE-2025-65960Contao is vulnerable to remote code execution in template closures6.6Nov 25, 2025
• CVE-2025-57759Contao has improper privilege management for page and article fields4.3Aug 28, 2025
• CVE-2025-57758Contao has improper access control in the back end voters4.3Aug 28, 2025
• CVE-2025-57757Contao discloses information in the news module5.3Aug 28, 2025
• CVE-2025-57756Contao discloses sensitive information in the front end search index5.3Aug 28, 2025
• CVE-2025-29790Contao allows cross-site scripting through SVG uploads5.4Mar 18, 2025
• CVE-2024-45604Directory traversal in the file selector widget in contao/core-bundle4.3Sep 17, 2024
• CVE-2024-45398Remote command execution through file upload in contao/core-bundle8.3Sep 17, 2024
• CVE-2024-45612Insert tag injection via canonical URL in Contao5.3Sep 17, 2024
• CVE-2024-30262Contao's remember-me tokens will not be cleared after a password change5.9Apr 9, 2024
• CVE-2024-28235Contao possible cookie sharing with external domains while checking protected pages for broken links8.3Apr 9, 2024
• CVE-2024-28191Contao may have unencoded insert tags in the frontend3.1Apr 9, 2024
• CVE-2024-28190Contao core bundle vulnerable to cross site scripting in the file manager5.4Apr 9, 2024
• CVE-2023-36806Contao cross site scripting vulnerability via input unit widget6.5Jul 25, 2023