contao/core-bundle Security Advisories for 5.0.10 (9)
-
[MEDIUM] Contao can disclose sensitive information in the news module
PKSA-v6p5-ssqr-1zcw CVE-2025-57757 GHSA-w53m-gxvg-vx7p
Affected version: >=5.4.0-RC1,<5.6.1|>=5.0.0-RC1,<5.3.38
Reported by:
GitHub -
[MEDIUM] Contao discloses sensitive information in the front end search index
PKSA-66g4-yhz3-k3zh CVE-2025-57756 GHSA-2xmj-8wmq-7475
Affected version: >=5.4.0-RC1,<5.6.1|>=5.0.0-RC1,<5.3.38|>=4.9.14,<4.13.56
Reported by:
GitHub -
[MEDIUM] Contao applies improper access control in the back end voters
PKSA-c2g8-xqxr-4cjw CVE-2025-57758 GHSA-7m47-r75r-cx8v
Affected version: >=5.4.0-RC1,<5.6.1|>=5.0.0,<5.3.38
Reported by:
GitHub -
[MEDIUM] Contao affected by insert tag injection via canonical URL
PKSA-8psg-sb44-9n6y CVE-2024-45612 GHSA-2xpq-xp6c-5mgj
Affected version: >=5.4.0,<5.4.3|>=5.0.0,<5.3.15|>=4.13.0,<4.13.49
Reported by:
GitHub -
[HIGH] Contao affected by remote command execution through file upload
PKSA-5k7g-byhd-8xrm CVE-2024-45398 GHSA-vm6r-j788-hjh5
Affected version: >=5.4.0,<5.4.3|>=5.0.0,<5.3.15|>=4.0.0,<4.13.49
Reported by:
GitHub -
[LOW] Contao: Unencoded insert tags in the frontend
PKSA-rk65-kfm6-21d9 CVE-2024-28191 GHSA-747v-52c4-8vj8
Affected version: >=5.0.0-RC1,<5.3.4|>=4.0.0,<4.13.40
Reported by:
GitHub -
[MEDIUM] Contao: Cross site scripting in the file manager
PKSA-bxmw-zt4x-f182 CVE-2024-28190 GHSA-v24p-7p4j-qvvf
Affected version: >=5.0.0-RC1,<5.3.4|>=4.0.0,<4.13.40
Reported by:
GitHub -
[HIGH] Contao: Possible cookie sharing with external domains while checking protected pages for broken links
PKSA-g1qg-mn7d-638g CVE-2024-28235 GHSA-9jh5-qf84-x6pr
Affected version: >=5.0.0-RC1,<5.3.4|>=4.9.0,<4.13.40
Reported by:
GitHub -
[MEDIUM] Cross site scripting via input unit widget
PKSA-kc45-s13v-qqqk CVE-2023-36806 GHSA-4gpr-p634-922x
Affected version: >=5.0.0,<5.1.10|>=4.10.0,<4.13.28|>=4.0.0,<4.9.42
Reported by:
GitHub