by Leo Feyer

Information disclosure in the news module

Date: 2025-08-28
CVE ID: CVE-2025-57757

If a news feed contains protected news archives, their news items are not filtered and become publicly available in the RSS feed.

Affected versions

Contao 5.3 up to 5.3.37
Contao 5.4
Contao 5.5
Contao 5.6 up to 5.6.0

Suggested solution

Upgrade to Contao 5.3.38 or 5.6.1.

Workaround

Do not add protected news archives to the news feed page.

More information

https://github.com/contao/contao/security/advisories/GHSA-w53m-gxvg-vx7p

Show all security advisories