Read the official Contao announcements.
Contao 2.11.14 is available
by Leo Feyer – Announcements
Contao version 2.11.14 is available. The bugfix release fixes a potential PHP object injection vulnerability (thanks to Pedro Ribeiro).
The vulnerability exists, because POST data is passed to the
deserialize() function, which was the case in the core multiple times. However, we were not able to exploit the vulnerability if the POST data was accessed via the Contao
Input class. This does not mean that it cannot be accomplished though.
We recommend the extension developers to review their code and clean the
deserialize() calls with POST data. We highly recommend the users to upgrade to Contao 2.11.14.