Security advisories

Here you will find a list of vulnerabilities that have already been found and fixed in Contao. If you think that you have found a security issue in Contao, please report it according to our security policy.

SQL injection in the newsletter module

Date: 2018-01-18
CVE ID: CVE-2018-5478


The vulnerability is in the "unsubscribe" module of the newsletter extension. It can easily be exploited by anyone without logging in in the front end.

Affected versions

Contao 3.* up to 3.5.31

Suggested solution

Update to Contao 3.5.32.

Show all security advisories