Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

contao — Vulnerabilities & Security Advisories 22

Browse all 22 CVE security advisories affecting contao. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Contao is an open-source content management system designed for creating complex, multilingual websites with a focus on accessibility and SEO. Historically, its codebase has been susceptible to several critical vulnerability classes, including remote code execution, cross-site scripting, and SQL injection. These flaws often stem from insufficient input validation and improper access controls within legacy modules. Notable incidents include multiple CVEs allowing attackers to execute arbitrary commands or escalate privileges, frequently exploiting weak session management or insecure file uploads. The platform’s modular architecture sometimes introduces attack surfaces through third-party extensions that lack rigorous security auditing. While recent versions have improved sandboxing and input filtering, the accumulation of 22 recorded CVEs highlights ongoing challenges in maintaining secure code standards across its extensive feature set.

Found 22 results / 22Clear Filters
Top products by contao: contao
CVE IDTitleCVSSSeverityPublished
CVE-2025-65961 Contao is vulnerable to cross-site scripting in templates — contaoCWE-87 3.3 Low2025-11-25
CVE-2025-65960 Contao is vulnerable to remote code execution in template closures — contaoCWE-351 6.6 Medium2025-11-25
CVE-2025-57759 Contao has improper privilege management for page and article fields — contaoCWE-269 4.3 Medium2025-08-28
CVE-2025-57758 Contao has improper access control in the back end voters — contaoCWE-284 4.3 Medium2025-08-28
CVE-2025-57757 Contao discloses information in the news module — contaoCWE-200 5.3 Medium2025-08-28
CVE-2025-57756 Contao discloses sensitive information in the front end search index — contaoCWE-200 5.3 Medium2025-08-28
CVE-2025-29790 Contao allows cross-site scripting through SVG uploads — contaoCWE-79 4.6 -2025-03-18
CVE-2024-45965 Contao 安全漏洞 — ContaoCWE-434 6.4 Medium2024-10-02
CVE-2024-45604 Directory traversal in the file selector widget in contao/core-bundle — contaoCWE-22 4.3 Medium2024-09-17
CVE-2024-45398 Remote command execution through file upload in contao/core-bundle — contaoCWE-434 8.3 High2024-09-17
CVE-2024-45612 Insert tag injection via canonical URL in Contao — contaoCWE-20 5.3 Medium2024-09-17
CVE-2024-30262 Contao's remember-me tokens will not be cleared after a password change — contaoCWE-613 5.9 Medium2024-04-09
CVE-2024-28235 Contao possible cookie sharing with external domains while checking protected pages for broken links — contaoCWE-200 8.4 High2024-04-09
CVE-2024-28234 Contao has insufficient BBCode sanitizer — contaoCWE-74 4.3 Medium2024-04-09
CVE-2024-28191 Contao may have unencoded insert tags in the frontend — contaoCWE-74 3.1 Low2024-04-09
CVE-2024-28190 Contao core bundle vulnerable to cross site scripting in the file manager — contaoCWE-79 5.4 Medium2024-04-09
CVE-2023-36806 Contao cross site scripting vulnerability via input unit widget — contaoCWE-79 6.5 Medium2023-07-25
CVE-2023-29200 contao/core-bundle has path traversal vulnerability in the file manager — contaoCWE-22 4.3 Medium2023-04-25
CVE-2022-24899 Cross site scripting via canonical tag — contaoCWE-79 7.2 High2022-05-05
CVE-2021-37627 Privilege escalation via form generator — contaoCWE-269 8.0 High2021-08-11
CVE-2021-37626 PHP file inclusion via insert tags — contaoCWE-94 7.2 High2021-08-11
CVE-2012-4383 contao SQL注入漏洞 — contao 8.8 -2020-01-29

This page lists every published CVE security advisory associated with contao. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.