CVE-2025-65960

Contao is an Open Source CMS. From version 4.0.0 to before 4.13.57, before 5.3.42, and before 5.6.5, back end users with precise control over the contents of template closures can execute arbitrary PHP functions that do not have required parameters. This issue has been patched in versions 4.13.57...

EUVD-2025-199631

Contao is vulnerable to cross-site scripting in templates...

EUVD-2025-199633

Contao is vulnerable to remote code execution in template closures...

CVE-2025-65961 Contao is vulnerable to cross-site scripting in templates

Contao is an Open Source CMS. From version 4.0.0 to before 4.13.57, before 5.3.42, and before 5.6.5, it is possible to inject code into the template output that will be executed in the browser in the front end and back end. This issue has been patched in versions 4.13.57, 5.3.42, and 5.6.5. A...

CVE-2025-65960 Contao is vulnerable to remote code execution in template closures

Contao is an Open Source CMS. From version 4.0.0 to before 4.13.57, before 5.3.42, and before 5.6.5, back end users with precise control over the contents of template closures can execute arbitrary PHP functions that do not have required parameters. This issue has been patched in versions 4.13.57...

PT-2025-48078

Name of the Vulnerable Software and Affected Versions Contao versions 4.0.0 through 4.13.56 Contao versions 5.3.0 through 5.3.41 Contao versions 5.6.0 through 5.6.4 Description Contao is susceptible to code injection within template output, potentially leading to code execution in both the front...

EUVD-2021-1752

Malware in sbrugna...

EUVD-2021-1860

Malware in sbrugna...

EUVD-2011-0528

Malware in sbrugna...

EUVD-2014-1923

Malware in sbrugna...

EUVD-2024-2699

Malicious code in bioql PyPI...

CVE-2025-57757

Contao is an Open Source CMS. In versions starting from 5.0.0 and prior to 5.3.38 and 5.6.1, if a news feed contains protected news archives, their news items are not filtered and become publicly available in the RSS feed. This issue has been patched in versions 5.3.38 and 5.6.1. A workaround...

CVE-2025-57756 Contao discloses sensitive information in the front end search index

Contao is an Open Source CMS. In versions starting from 4.9.14 and prior to 4.13.56, 5.3.38, and 5.6.1, protected content elements that are rendered as fragments are indexed and become publicly available in the front end search. This issue has been patched in versions 4.13.56, 5.3.38, and 5.6.1. ...

CVE-2024-45604

Contao is an Open Source CMS. In affected versions authenticated users in the back end can list files outside the document root in the file selector widget. Users are advised to update to Contao 4.13.49. There are no known workarounds for this vulnerability...

CVE-2024-45612

Contao is an Open Source CMS. In affected versions an untrusted user can inject insert tags into the canonical tag, which are then replaced on the web page front end. Users are advised to update to Contao 4.13.49, 5.3.15 or 5.4.3. Users unable to upgrade should disable canonical tags in the root...

CVE-2024-28191

Contao is an open source content management system. Starting in version 4.0.0 and prior to version 4.13.40 and 5.3.4, it is possible to inject insert tags in frontend forms if the output is structured in a very specific way. Contao versions 4.13.40 and 5.3.4 have a patch for this issue. As a...

CVE-2025-29790

Contao is an Open Source CMS. Users can upload SVG files with malicious code, which is then executed in the back end and/or front end. This vulnerability is fixed in Contao 4.13.54, 5.3.30, or 5.5.6...

CVE-2025-29790

Contao is an Open Source CMS. Users can upload SVG files with malicious code, which is then executed in the back end and/or front end. This vulnerability is fixed in Contao 4.13.54, 5.3.30, or 5.5.6...

CVE-2025-29790

Contao CMS is affected by a Cross‑Site Scripting (XSS) vulnerability triggered by uploading SVG files containing malicious code, which can be executed in backend or frontend contexts. Affected versions are not specified in the initial document, but remediation is provided: upgrade to Contao 4.13....

CVE-2025-29790 Contao allows cross-site scripting through SVG uploads

Contao is an Open Source CMS. Users can upload SVG files with malicious code, which is then executed in the back end and/or front end. This vulnerability is fixed in Contao 4.13.54, 5.3.30, or 5.5.6...