Here you will find a list of vulnerabilities that have already been found and fixed in Contao. If you think that you have found a security issue in Contao, please report it according to our security policy.
SQL injection in the newsletter module
CVE ID: CVE-2018-5478
The vulnerability is in the "unsubscribe" module of the newsletter extension. It can easily be exploited by anyone without logging in in the front end.
Contao 3.* up to 3.5.31
Update to Contao 3.5.32.