Read the official Contao announcements.
Contao 3.2.7 is available
by Leo Feyer
Contao version 3.2.7 is available. The bugfix release fixes more security holes related to the PHP object injection vulnerability, which was discovered in Contao in February, 2014.
Please be assured that we are not releasing updates for the sake of releasing updates. A number of well-known Contao developers have spend several hours together to find an optimal compromise between security and backwards compatibility. Unfortunately, the attack scenario is rather complex, so new ways to exploit the vulnerability kept appearing. We have now chosen a very restrictive hardening approach which hopefully solves the problem.