Read the official Contao announcements.
Contao 3.5.32 is available
by Leo Feyer
Contao version 3.5.32 is available. The bugfix release fixes an XSS vulnerability in the newsletter extension (CVE-2018-5478).
The vulnerability is in the "unsubscribe" module of the newsletter extension and can easily be exploited by anyone in the front end. We therefore strongly recommend you to update.
The problem affects Contao 2.0.0 to 3.5.31 and the Contao newsletter bundle 4.0.0 to 4.0.3.
If you are not using the newsletter extension or the "unsubscribe" module, your installation is not affected by the vulnerability.