Read the official Contao announcements.
Security vulnerability CVE-2018-17057
by Leo Feyer
CVE-2018-17057 identifies a security vulnerability in TCPDF, which also affects Contao.
Through a manipulated image file, a logged in back end user can implant arbitrary code which is executed when an article is exported as PDF in the front end. The vulnerability has been fixed in TCPDF 6.2.22.
In Contao 4 you can update the dependencies in the Contao Manager, which should also install the newest TCPDF version. The Contao versions 4.4.25 and 4.6.4 additionally contain the explicit version constraint
^6.2.22 for TCPDF.
In Contao 3.5 the issue has been fixed in version 3.5.36.