Skip to main content

Contao

29 CVEs product

Monthly

CVE-2025-65961 PHP LOW PATCH Monitor

Contao is an Open Source CMS. Rated low severity (CVSS 3.3), this vulnerability is remotely exploitable. No vendor patch available.

Code Injection Contao
NVD GitHub
CVSS 3.1
3.3
EPSS
0.0%
CVE-2025-65960 PHP MEDIUM PATCH This Month

Contao is an Open Source CMS. Rated medium severity (CVSS 6.6), this vulnerability is remotely exploitable. No vendor patch available.

PHP Information Disclosure Contao
NVD GitHub
CVSS 3.1
6.6
EPSS
0.0%
CVE-2025-57759 PHP MEDIUM PATCH This Month

Contao is an Open Source CMS. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. This Improper Privilege Management vulnerability could allow attackers to escalate privileges to gain unauthorized elevated access.

Privilege Escalation Contao
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-57758 PHP MEDIUM PATCH This Month

Contao is an Open Source CMS. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity.

Authentication Bypass Contao
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-57757 PHP MEDIUM PATCH This Month

Contao is an Open Source CMS. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Information Disclosure Contao
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-57756 PHP MEDIUM PATCH This Month

Contao is an Open Source CMS. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Information Disclosure Contao
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-29790 PHP MEDIUM PATCH Monitor

Contao is an Open Source CMS. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Contao
NVD GitHub
CVSS 4.0
4.8
EPSS
0.1%
CVE-2024-45965 MEDIUM POC This Month

Contao before 5.5.6 allows XSS via an SVG document. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS File Upload Contao
NVD
CVSS 3.1
5.4
EPSS
0.3%
CVE-2024-45604 PHP MEDIUM PATCH This Month

Contao is an Open Source CMS. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal Contao
NVD GitHub
CVSS 3.1
4.3
EPSS
0.4%
CVE-2024-45398 PHP HIGH PATCH This Week

Contao is an Open Source CMS. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP File Upload Contao
NVD GitHub
CVSS 3.1
8.8
EPSS
0.5%
CVE-2024-45612 PHP MEDIUM PATCH This Month

Contao is an Open Source CMS. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection Canonical Contao
NVD GitHub
CVSS 3.1
5.3
EPSS
0.3%
CVE-2024-30262 PHP HIGH PATCH This Week

Contao is an open source content management system. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity.

Session Fixation Information Disclosure Contao
NVD GitHub
CVSS 3.1
7.1
EPSS
0.5%
CVE-2024-28235 PHP MEDIUM PATCH This Month

Contao is an open source content management system. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Information Disclosure Contao
NVD GitHub
CVSS 3.1
6.5
EPSS
0.7%
CVE-2024-28234 PHP MEDIUM PATCH This Month

Contao is an open source content management system. Rated medium severity (CVSS 4.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Code Injection Contao
NVD GitHub
CVSS 3.1
4.7
EPSS
0.6%
CVE-2024-28191 PHP MEDIUM PATCH This Month

Contao is an open source content management system. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity.

Code Injection Contao
NVD GitHub
CVSS 3.1
5.4
EPSS
0.5%
CVE-2024-28190 PHP MEDIUM PATCH This Month

Contao is an open source content management system. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Contao
NVD GitHub
CVSS 3.1
5.4
EPSS
0.5%
CVE-2023-36806 PHP MEDIUM POC PATCH This Month

Contao is an open source content management system. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

XSS Contao
NVD GitHub
CVSS 3.1
5.4
EPSS
0.5%
CVE-2023-29200 PHP MEDIUM PATCH This Month

Contao is an open source content management system. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

Path Traversal Contao
NVD GitHub
CVSS 3.1
6.5
EPSS
0.8%
CVE-2022-24899 PHP MEDIUM POC PATCH This Month

Contao is a powerful open source CMS that allows you to create professional websites and scalable web applications. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

Canonical XSS Contao
NVD GitHub
CVSS 3.1
6.1
EPSS
4.4%
CVE-2022-26265 PHP CRITICAL POC THREAT Act Now

Contao Managed Edition v1.5.0 was discovered to contain a remote command execution (RCE) vulnerability via the component php_cli parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection Contao
NVD GitHub
CVSS 3.1
9.8
EPSS
30.4%
CVE-2021-35955 PHP MEDIUM PATCH This Month

Contao >=4.0.0 allows backend XSS via HTML attributes to an HTML field. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Contao
NVD GitHub
CVSS 3.1
4.8
EPSS
0.6%
CVE-2021-37627 PHP HIGH PATCH This Week

Contao is an open source CMS that allows creation of websites and scalable web applications. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation Contao
NVD GitHub
CVSS 3.1
7.2
EPSS
1.0%
CVE-2021-37626 PHP HIGH PATCH This Week

Contao is an open source CMS that allows you to create websites and scalable web applications. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE PHP Code Injection Contao
NVD GitHub
CVSS 3.1
7.2
EPSS
1.3%
CVE-2021-35210 PHP MEDIUM PATCH This Month

Contao 4.5.x through 4.9.x before 4.9.16, and 4.10.x through 4.11.x before 4.11.5, allows XSS. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Contao
NVD GitHub
CVSS 3.1
6.1
EPSS
0.7%
CVE-2020-25768 PHP MEDIUM PATCH This Month

Contao before 4.4.52, 4.9.x before 4.9.6, and 4.10.x before 4.10.1 have Improper Input Validation. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection Contao
NVD
CVSS 3.1
5.3
EPSS
0.8%
CVE-2019-19745 PHP HIGH PATCH This Week

Contao 4.0 through 4.8.5 allows PHP local file inclusion. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP File Upload Contao
NVD
CVSS 3.1
8.8
EPSS
1.1%
CVE-2019-19714 PHP MEDIUM PATCH This Month

Contao 4.8.4 and 4.8.5 has Improper Encoding or Escaping of Output. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection Contao
NVD
CVSS 3.1
5.3
EPSS
0.8%
CVE-2019-19712 PHP MEDIUM PATCH This Month

Contao 4.0 through 4.8.5 has Insecure Permissions. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Privilege Escalation Contao
NVD
CVSS 3.1
5.3
EPSS
0.9%
CVE-2019-11512 PHP CRITICAL PATCH Act Now

Contao 4.x allows SQL Injection. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi Contao
NVD
CVSS 3.0
9.8
EPSS
1.5%
EPSS 0% CVSS 3.3
LOW PATCH Monitor

Contao is an Open Source CMS. Rated low severity (CVSS 3.3), this vulnerability is remotely exploitable. No vendor patch available.

Code Injection Contao
NVD GitHub
EPSS 0% CVSS 6.6
MEDIUM PATCH This Month

Contao is an Open Source CMS. Rated medium severity (CVSS 6.6), this vulnerability is remotely exploitable. No vendor patch available.

PHP Information Disclosure Contao
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Contao is an Open Source CMS. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. This Improper Privilege Management vulnerability could allow attackers to escalate privileges to gain unauthorized elevated access.

Privilege Escalation Contao
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Contao is an Open Source CMS. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity.

Authentication Bypass Contao
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Contao is an Open Source CMS. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Information Disclosure Contao
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Contao is an Open Source CMS. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Information Disclosure Contao
NVD GitHub
EPSS 0% CVSS 4.8
MEDIUM PATCH Monitor

Contao is an Open Source CMS. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Contao
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM POC This Month

Contao before 5.5.6 allows XSS via an SVG document. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS File Upload Contao
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Contao is an Open Source CMS. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal Contao
NVD GitHub
EPSS 1% CVSS 8.8
HIGH PATCH This Week

Contao is an Open Source CMS. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP File Upload Contao
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Contao is an Open Source CMS. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection Canonical Contao
NVD GitHub
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Contao is an open source content management system. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity.

Session Fixation Information Disclosure Contao
NVD GitHub
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

Contao is an open source content management system. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Information Disclosure Contao
NVD GitHub
EPSS 1% CVSS 4.7
MEDIUM PATCH This Month

Contao is an open source content management system. Rated medium severity (CVSS 4.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Code Injection Contao
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Contao is an open source content management system. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity.

Code Injection Contao
NVD GitHub
EPSS 1% CVSS 5.4
MEDIUM PATCH This Month

Contao is an open source content management system. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Contao
NVD GitHub
EPSS 1% CVSS 5.4
MEDIUM POC PATCH This Month

Contao is an open source content management system. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

XSS Contao
NVD GitHub
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

Contao is an open source content management system. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

Path Traversal Contao
NVD GitHub
EPSS 4% CVSS 6.1
MEDIUM POC PATCH This Month

Contao is a powerful open source CMS that allows you to create professional websites and scalable web applications. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

Canonical XSS Contao
NVD GitHub
EPSS 30% CVSS 9.8
CRITICAL POC THREAT Act Now

Contao Managed Edition v1.5.0 was discovered to contain a remote command execution (RCE) vulnerability via the component php_cli parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection Contao
NVD GitHub
EPSS 1% CVSS 4.8
MEDIUM PATCH This Month

Contao >=4.0.0 allows backend XSS via HTML attributes to an HTML field. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Contao
NVD GitHub
EPSS 1% CVSS 7.2
HIGH PATCH This Week

Contao is an open source CMS that allows creation of websites and scalable web applications. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation Contao
NVD GitHub
EPSS 1% CVSS 7.2
HIGH PATCH This Week

Contao is an open source CMS that allows you to create websites and scalable web applications. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE PHP Code Injection +1
NVD GitHub
EPSS 1% CVSS 6.1
MEDIUM PATCH This Month

Contao 4.5.x through 4.9.x before 4.9.16, and 4.10.x through 4.11.x before 4.11.5, allows XSS. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Contao
NVD GitHub
EPSS 1% CVSS 5.3
MEDIUM PATCH This Month

Contao before 4.4.52, 4.9.x before 4.9.6, and 4.10.x before 4.10.1 have Improper Input Validation. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection Contao
NVD
EPSS 1% CVSS 8.8
HIGH PATCH This Week

Contao 4.0 through 4.8.5 allows PHP local file inclusion. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP File Upload Contao
NVD
EPSS 1% CVSS 5.3
MEDIUM PATCH This Month

Contao 4.8.4 and 4.8.5 has Improper Encoding or Escaping of Output. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection Contao
NVD
EPSS 1% CVSS 5.3
MEDIUM PATCH This Month

Contao 4.0 through 4.8.5 has Insecure Permissions. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Privilege Escalation Contao
NVD
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

Contao 4.x allows SQL Injection. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi Contao
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy