Here you will find a list of vulnerabilities that have already been found and fixed in Contao. If you think that you have found a security issue in Contao, please report it according to our security policy.
SQL injection in the file manager
CVE ID: CVE-2019-11512
David Wind, penetration tester with A1 Digital, has discovered that the SQL injection vulnerability originally published under CVE-2017-16558 can still be exploited in the file manager in Contao 4. The security vulnerability has the identifier CVE-2019-11512.
Contao 4.4 up to 4.4.38
Contao 4.7 up to 4.7.4
Update to Contao 4.4.39 or 4.7.5.