threat
engine
.sh
Back
·
··:··
Home
/
Product
/
contao
Product
contao
43 known vulnerabilities across versions
Vulnerabilities are listed by affected version. Select any CVE for the full briefing and its intelligence graph.
Sort
Newest first
Oldest first
Highest CVSS
Lowest CVSS
Min CVSS
Any
4.0+
7.0+ (High)
9.0+ (Critical)
Published since
Reset
CVE-2025-65961
>= 4.0.0 and < 4.13.57
Contao is an Open Source CMS. From version 4.0.0 to before 4.13.57, before 5.3.42, and before 5.6.5, it is possible to inject code
3.3
LOW
CVE-2025-65960
>= 4.0.0 and < 4.13.57
Contao is an Open Source CMS. From version 4.0.0 to before 4.13.57, before 5.3.42, and before 5.6.5, back end users with precise c
6.6
MEDIUM
CVE-2025-57759
>= 5.3.0 and < 5.3.38
Contao is an Open Source CMS. In versions starting from 5.3.0 and prior to 5.3.38 and 5.6.1, under certain conditions, back end us
4.3
MEDIUM
CVE-2025-57758
>= 5.3.0 and < 5.3.38
Contao is an Open Source CMS. In versions starting from 5.0.0 and prior to 5.3.38 and 5.6.1, the table access voter in the back en
4.3
MEDIUM
CVE-2025-57757
>= 5.3.0 and < 5.3.38
Contao is an Open Source CMS. In versions starting from 5.0.0 and prior to 5.3.38 and 5.6.1, if a news feed contains protected new
5.3
MEDIUM
CVE-2025-57756
>= 4.9.0 and <= 4.9.14
Contao is an Open Source CMS. In versions starting from 4.9.14 and prior to 4.13.56, 5.3.38, and 5.6.1, protected content elements
5.3
MEDIUM
CVE-2025-29790
>= 4.0.0 and < 4.13.53
Contao is an Open Source CMS. Users can upload SVG files with malicious code, which is then executed in the back end and/or front
5.4
MEDIUM
CVE-2024-45965
>= 4.0 and < 4.13.54
Contao before 5.5.6 allows XSS via an SVG document. This affects (in contao/core-bundle in Composer) 4.x before 4.13.54, 5.0.x thr
6.4
MEDIUM
CVE-2024-45604
< 4.13.49
Contao is an Open Source CMS. In affected versions authenticated users in the back end can list files outside the document root in
4.3
MEDIUM
CVE-2024-45398
>= 4.0.0 and < 4.13.49
Contao is an Open Source CMS. In affected versions a back end user with access to the file manager can upload malicious files and
8.3
HIGH
CVE-2024-45612
>= 4.13.0 and < 4.13.49
Contao is an Open Source CMS. In affected versions an untrusted user can inject insert tags into the canonical tag, which are then
5.3
MEDIUM
CVE-2024-30262
< 4.13.40
Contao is an open source content management system. Prior to version 4.13.40, when a frontend member changes their password in the
5.9
MEDIUM
CVE-2024-28235
>= 4.9.0 and < 4.13.40
Contao is an open source content management system. Starting in version 4.9.0 and prior to versions 4.13.40 and 5.3.4, when checki
8.3
HIGH
CVE-2024-28234
>= 2.0 and < 4.13.40
Contao is an open source content management system. Starting in version 2.0.0 and prior to versions 4.13.40 and 5.3.4, it is possi
4.3
MEDIUM
CVE-2024-28191
>= 4.0.0 and < 4.13.40
Contao is an open source content management system. Starting in version 4.0.0 and prior to version 4.13.40 and 5.3.4, it is possib
3.1
LOW
CVE-2024-28190
>= 4.0.0 and < 4.13.40
Contao is an open source content management system. Starting in version 4.0.0 and prior to version 4.13.40 and 5.3.4, users can in
5.4
MEDIUM
CVE-2018-5478
>= 3.0.0 and < 3.5.32
Contao 3.x before 3.5.32 allows XSS via the unsubscribe module in the frontend newsletter extension.
6.1
MEDIUM
CVE-2023-36806
>= 4.0.0 and < 4.9.42
Contao is an open source content management system. Starting in version 4.0.0 and prior to versions 4.9.42, 4.13.28, and 5.1.10, i
6.5
MEDIUM
CVE-2023-29200
>= 2.0 and < 4.9.40
Contao is an open source content management system. Prior to versions 4.9.40, 4.13.21, and 5.1.4, logged in users can list arbitra
4.3
MEDIUM
CVE-2022-24899
>= 4.13.0 and <= 4.13.2
Contao is a powerful open source CMS that allows you to create professional websites and scalable web applications. In versions of
7.2
HIGH
CVE-2022-26265
all versions
Contao Managed Edition v1.5.0 was discovered to contain a remote command execution (RCE) vulnerability via the component php_cli p
9.8
CRITICAL
CVE-2021-35955
>= 4.0.0 and < 4.4.56
Contao >=4.0.0 allows backend XSS via HTML attributes to an HTML field. Fixed in 4.4.56, 4.9.18, 4.11.7.
4.8
MEDIUM
CVE-2021-37627
>= 4.4.0 and < 4.4.56
Contao is an open source CMS that allows creation of websites and scalable web applications. In affected versions it is possible t
8.0
HIGH
CVE-2021-37626
>= 4.4.0 and < 4.4.56
Contao is an open source CMS that allows you to create websites and scalable web applications. In affected versions it is possible
7.2
HIGH
CVE-2021-35210
>= 4.5.0 and < 4.9.16
Contao 4.5.x through 4.9.x before 4.9.16, and 4.10.x through 4.11.x before 4.11.5, allows XSS. It is possible to inject code into
6.1
MEDIUM
CVE-2020-25768
>= 4.0 and < 4.4.52
Contao before 4.4.52, 4.9.x before 4.9.6, and 4.10.x before 4.10.1 have Improper Input Validation. It is possible to inject insert
5.3
MEDIUM
CVE-2018-10125
>= 3.0.0 and <= 3.5.33
Contao before 4.5.7 has XSS in the system log.
6.1
MEDIUM
CVE-2012-4383
< 2.11.4
contao prior to 2.11.4 has a sql injection vulnerability
8.8
HIGH
CVE-2014-1860
<= 3.2.4
Contao CMS through 3.2.4 has PHP Object Injection Vulnerabilities
9.8
CRITICAL
CVE-2019-19745
>= 4.4 and <= 4.4.45
Contao 4.0 through 4.8.5 allows PHP local file inclusion. A back end user with access to the form generator can upload arbitrary f
8.8
HIGH
CVE-2019-19714
all versions
Contao 4.8.4 and 4.8.5 has Improper Encoding or Escaping of Output. It is possible to inject insert tags into the login module whi
5.3
MEDIUM
CVE-2019-19712
>= 4.4.0 and <= 4.4.45
Contao 4.0 through 4.8.5 has Insecure Permissions. Back end users can manipulate the details view URL to show pages and articles t
5.3
MEDIUM
CVE-2019-11512
>= 4.0.0 and < 4.4.39
Contao 4.x allows SQL Injection. Fixed in Contao 4.4.39 and Contao 4.7.5.
9.8
CRITICAL
CVE-2017-16558
>= 3.0.0 and <= 3.5.30
Contao 3.0.0 to 3.5.30 and 4.0.0 to 4.4.7 contains an SQL injection vulnerability in the back end as well as in the listing module
9.8
CRITICAL
CVE-2019-10643
all versions
Contao 4.7 allows Use of a Key Past its Expiration Date.
9.8
CRITICAL
CVE-2019-10642
all versions
Contao 4.7 allows CSRF.
8.8
HIGH
CVE-2019-10641
< 3.5.39
Contao before 3.5.39 and 4.x before 4.7.3 has a Weak Password Recovery Mechanism for a Forgotten Password.
9.8
CRITICAL
CVE-2018-20028
>= 3.0.0 and < 3.5.37
Contao 3.x before 3.5.37, 4.4.x before 4.4.31 and 4.6.x before 4.6.11 has Incorrect Access Control.
6.5
MEDIUM
CVE-2017-10993
<= 3.5.27
Contao before 3.5.28 and 4.x before 4.4.1 allows remote attackers to include and execute arbitrary local PHP files via a crafted p
8.8
HIGH
CVE-2015-0269
<= 3.2.18
Directory traversal vulnerability in Contao before 3.2.19, and 3.4.x before 3.4.4 allows remote authenticated "back end" users to
4.3
MEDIUM
CVE-2012-1297
<= 2.11.0
Multiple cross-site request forgery (CSRF) vulnerabilities in main.php in Contao (formerly TYPOlight) 2.11.0 and earlier allow rem
CVE-2011-4335
<= 2.10.1
Multiple cross-site scripting (XSS) vulnerabilities in Contao before 2.10.2 allow remote attackers to inject arbitrary web script
CVE-2011-0508
all versions
Cross-site scripting (XSS) vulnerability in system/modules/comments/Comments.php in Contao CMS 2.9.2, and possibly other versions
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh · Open-source threat intelligence platform · 100+ authoritative sources · Every fact traces to its origin