Security advisories

Here you will find a list of vulnerabilities that have already been found and fixed in Contao.

SQL injection in the newsletter module

Date: 2015-11-16
CVE ID: CVE-2018-5478


The vulnerability is in the "unsubscribe" module of the newsletter extension. It can easily be exploited by anyone without logging in in the front end.

Affected versions

Contao 3.5 up to 3.5.31
Contao 4.0

Suggested solution

Update to Contao 3.5.32 or 4.1.0.

Back to the overview.

Security policy

If you think that you have found a se­cu­ri­ty is­sue in Con­tao, please re­port it ac­cor­ding to our se­cu­ri­ty poli­cy.