Read the official Contao announcements.
Contao 4.4.46 and 4.8.6 are available
by Leo Feyer – Announcements
To fully mitigate the vulnerability CVE-2019-19745, you have to examine the existing file upload fields in the form generator. If there is an upload field with a forbidden file extension, you have to assume that your installation has been compromised. In this case, review the uploaded files carefully, check the user permissions and look for suspicious log entries.