>= 4.1.0, < 4.4.39
CRITICAL9.8CVE-2017-16558Contao SQL injection in the backend and listing module >= 3.0.0, <= 3.5.30
CRITICAL9.8CVE-2019-10641Contao Does Not Invalidate Existing Sessions When Password Changes >= 4.0.0, < 4.4.37
CRITICAL9.8Contao Does Not Expire Tokens Correctly
>= 4.7.0, < 4.7.3
HIGH8.8Path traversal vulnerability in the file manager
>= 4.9.0, < 4.9.40
HIGH8.8Contao CSRF Token Bypass
>= 4.7.0, < 4.7.3
HIGH8.8Contao Core directory traversal vulnerability
>= 4.0.0, < 4.4.1
HIGH8.8Unrestricted file uploads in Contao
>= 4.0.0, < 4.4.46
HIGH8.0Privilege escalation via form generator
>= 4.0.0, < 4.4.56
HIGH7.2Cross site scripting via canonical tag in Contao
>= 4.13.0, < 4.13.3
MEDIUM6.7PHP file inclusion via insert tags
>= 4.0.0, < 4.4.56
MEDIUM6.5Contao Information Disclosure via Access Control Flaws
>= 3.0.0, < 3.5.37
MEDIUM6.1Cross-site Scripting in Contao
>= 4.0.0, < 4.4.18
MEDIUM6.1Cross site scripting in the system log
>= 4.5.0, < 4.9.16
MEDIUM5.9Cross site scripting via HTML attributes in the back end
>= 4.0.0, < 4.4.56
MEDIUM5.3Contao can disclose sensitive information in the news module
>= 5.0.0-RC1, < 5.3.38
MEDIUM5.3Contao discloses sensitive information in the front end search index
>= 4.9.14, < 4.13.56
MEDIUM5.3Contao Insert tag injection in forms
>= 4.0.0, < 4.4.52
MEDIUM5.3Insert tag injection in the Contao login module
>= 4.8.4, < 4.8.6
MEDIUM5.3Information disclosure in the Contao backend
>= 4.0.0, < 4.4.46
MEDIUM4.3Contao does not properly manage privileges for page and article fields
>= 5.3.0, < 5.3.38
MEDIUM4.3Contao applies improper access control in the back end voters
>= 5.0.0, < 5.3.38