Security advisories

Here you will find a list of vulnerabilities that have already been found and fixed in Contao.

2017

Date: 2017-11-15
CVE ID: CVE-2017-16558

The back end search filter and the listing module are vulnerable to SQL injections. The problem affects all Contao versions as of Contao 4.0 and has been fixed in Contao 4.4.8.

Date: 2017-07-12
CVE ID: CVE-2017-10993

A logged in back end user can include arbitrary existing PHP. The problem affects all Contao versions and has been fixed in Contao 3.5.27 and 4.4.0.

Security policy

If you think that you have found a se­cu­ri­ty is­sue in Con­tao, please re­port it ac­cor­ding to our se­cu­ri­ty poli­cy.