Contao <4.13.3 - Cross-Site Scripting

Contao prior to 4.13.3 contains a cross-site scripting vulnerability. It is possible to inject arbitrary JavaScript code into the canonical tag. id: CVE-2022-24899 info: name: Contao 4.13.3 - Cross-Site Scripting author: ritikchaddha severity: medium description: | Contao prior to 4.13.3 contains...

CVE-2018-10125

Contao before 4.5.7 has XSS in the system log...

CVE-2022-26265

Contao Managed Edition v1.5.0 was discovered to contain a remote command execution RCE vulnerability via the component phpcli parameter...

CVE-2019-11512

Contao 4.x allows SQL Injection. Fixed in Contao 4.4.39 and Contao 4.7.5...

CVE-2025-65961

Contao is an Open Source CMS. From version 4.0.0 to before 4.13.57, before 5.3.42, and before 5.6.5, it is possible to inject code into the template output that will be executed in the browser in the front end and back end. This issue has been patched in versions 4.13.57, 5.3.42, and 5.6.5. A...

CVE-2025-65960

Contao is an Open Source CMS. From version 4.0.0 to before 4.13.57, before 5.3.42, and before 5.6.5, back end users with precise control over the contents of template closures can execute arbitrary PHP functions that do not have required parameters. This issue has been patched in versions 4.13.57...

GHSA-68Q5-78XP-CWWC Contao is vulnerable to cross-site scripting in templates

Impact It is possible to inject code into the template output that will be executed in the browser in the front end and back end. Patches Update to Contao 4.13.57, 5.3.42 or 5.6.5. Workarounds Do not use the affected templates or patch them manually. Refsources...

EUVD-2025-199631

Contao is vulnerable to cross-site scripting in templates...

Cross-site Scripting (XSS)

Overview contao/core-bundle is an Open Source PHP Content Management System for people who want a professional website that is easy to maintain. Affected versions of this package are vulnerable to Cross-site Scripting XSS via template output. An attacker can execute arbitrary scripts in the brows...

Contao is vulnerable to cross-site scripting in templates

Impact It is possible to inject code into the template output that will be executed in the browser in the front end and back end. Patches Update to Contao 4.13.57, 5.3.42 or 5.6.5. Workarounds Do not use the affected templates or patch them manually. Refsources...

Insufficient Type Distinction

Overview contao/core-bundle is an Open Source PHP Content Management System for people who want a professional website that is easy to maintain. Affected versions of this package are vulnerable to Insufficient Type Distinction in the Template::once method. Backend users with sufficient privileges...

EUVD-2025-199633

Contao is vulnerable to remote code execution in template closures...

Contao is vulnerable to remote code execution in template closures

Impact Backend users with precise control over the contents of template closures can execute arbitrary PHP functions that do not have required parameters. Patches Update to Contao 4.13.57, 5.3.42 or 5.6.5 Workarounds Manually patch the Contao\Template::once method. Resources...

GHSA-98VJ-MM79-V77R Contao is vulnerable to remote code execution in template closures

Impact Backend users with precise control over the contents of template closures can execute arbitrary PHP functions that do not have required parameters. Patches Update to Contao 4.13.57, 5.3.42 or 5.6.5 Workarounds Manually patch the Contao\Template::once method. Resources...

CVE-2025-65961

Contao is an Open Source CMS. From version 4.0.0 to before 4.13.57, before 5.3.42, and before 5.6.5, it is possible to inject code into the template output that will be executed in the browser in the front end and back end. This issue has been patched in versions 4.13.57, 5.3.42, and 5.6.5. A...

CVE-2025-65960

Contao is an Open Source CMS. From version 4.0.0 to before 4.13.57, before 5.3.42, and before 5.6.5, back end users with precise control over the contents of template closures can execute arbitrary PHP functions that do not have required parameters. This issue has been patched in versions 4.13.57...

CVE-2025-65961

Contao CMS vulnerability CVE-2025-65961 enables cross-site scripting via template output in affected templates. Affected versions: 4.0.0–4.13.57, 5.0–before 5.3.42, and before 5.6.5. Root cause: injection of code into template output executed in both front-end and back-end browsers. Mitigation/Re...

CVE-2025-65961 Contao is vulnerable to cross-site scripting in templates

Contao is an Open Source CMS. From version 4.0.0 to before 4.13.57, before 5.3.42, and before 5.6.5, it is possible to inject code into the template output that will be executed in the browser in the front end and back end. This issue has been patched in versions 4.13.57, 5.3.42, and 5.6.5. A...

CVE-2025-65961 Contao is vulnerable to cross-site scripting in templates

Contao is an Open Source CMS. From version 4.0.0 to before 4.13.57, before 5.3.42, and before 5.6.5, it is possible to inject code into the template output that will be executed in the browser in the front end and back end. This issue has been patched in versions 4.13.57, 5.3.42, and 5.6.5. A...

CVE-2025-65961 Contao is vulnerable to cross-site scripting in templates

Contao is an Open Source CMS. From version 4.0.0 to before 4.13.57, before 5.3.42, and before 5.6.5, it is possible to inject code into the template output that will be executed in the browser in the front end and back end. This issue has been patched in versions 4.13.57, 5.3.42, and 5.6.5. A...