by Leo Feyer

Information disclosure in the front end search index

Date: 2025-08-28
CVE ID: CVE-2025-57756

Protected content elements that are rendered as fragments are indexed and become publicly available in the front end search.

Affected versions

Contao 4.9 from 4.9.14
Contao 4.10
Contao 4.11
Contao 4.12
Contao 4.13 up to 4.13.55
Contao 5.0
Contao 5.1
Contao 5.2
Contao 5.3 up to 5.3.37
Contao 5.4
Contao 5.5
Contao 5.6 up to 5.6.0

Suggested solution

Upgrade to Contao 4.13.56, 5.3.38 or 5.6.1.

Workaround

Disable the front end search.

More information

https://github.com/contao/contao/security/advisories/GHSA-2xmj-8wmq-7475

Show all security advisories