Read the official Contao announcements.
Contao 3.4.4 is available
by Leo Feyer – Announcements
The vulnerability allows logged in back end users to view files which are outside their file mounts or the document root. It is, however, not possible to edit these files or to view their content. Upgrading is still highly recommended.