CVE-2017-16558

Contao 3.0.0 to 3.5.30 and 4.0.0 to 4.4.7 contains an SQL injection vulnerability in the back end as well as in the listing module.

CVE-2019-10641

Contao before 3.5.39 and 4.x before 4.7.3 has a Weak Password Recovery Mechanism for a Forgotten Password.

CVE-2019-10643

Contao 4.7 allows Use of a Key Past its Expiration Date.

CVE-2014-1860

Contao CMS through 3.2.4 has PHP Object Injection Vulnerabilities