Here you will find a list of vulnerabilities that have already been found and fixed in Contao. If you think that you have found a security issue in Contao, please report it according to our security policy.
Cross site scripting in the system log
CVE ID: CVE-2018-10125
With a manipulated request, an attacker can implant a script which is executed when a logged in back end user opens the system log. The attacker does not have to be logged in.
Contao 3.* up to 3.5.33
Contao 4.4 up to 4.4.16
Contao 4.5 up to 4.5.6
Update to Contao 3.5.34, 4.4.17 or 4.5.7.