Read the official Contao announcements.
Security vulnerability CVE-2019-11512
by Leo Feyer
David Wind, penetration tester with A1 Digital, has discovered that the SQL injection vulnerability originally published under CVE-2017-16558 can still be exploited in the file manager in Contao 4. The security vulnerability has the identifier CVE-2019-11512.
The problem affects all Contao versions as of Contao 4.1 and has been fixed in Contao 4.4.39 and Contao 4.7.5.