[MEDIUM] Contao does not properly manage privileges for page and article fields

PKSA-4m99-84h8-dntz CVE-2025-57759 GHSA-qqfq-7cpp-hcqj

Affected version: >=5.4.0-RC1,<5.6.1|>=5.3.0,<5.3.38

Reported by:
GitHub

[MEDIUM] Contao can disclose sensitive information in the news module

PKSA-v6p5-ssqr-1zcw CVE-2025-57757 GHSA-w53m-gxvg-vx7p

Affected version: >=5.4.0-RC1,<5.6.1|>=5.0.0-RC1,<5.3.38

Reported by:
GitHub

[MEDIUM] Contao discloses sensitive information in the front end search index

PKSA-66g4-yhz3-k3zh CVE-2025-57756 GHSA-2xmj-8wmq-7475

Affected version: >=5.4.0-RC1,<5.6.1|>=5.0.0-RC1,<5.3.38|>=4.9.14,<4.13.56

Reported by:
GitHub

[MEDIUM] Contao applies improper access control in the back end voters

PKSA-c2g8-xqxr-4cjw CVE-2025-57758 GHSA-7m47-r75r-cx8v

Affected version: >=5.4.0-RC1,<5.6.1|>=5.0.0,<5.3.38

Reported by:
GitHub

[MEDIUM] Contao Vulnerable to Cross-Site Scripting (XSS) through SVG uploads

PKSA-pmyp-m45j-62p1 CVE-2025-29790 GHSA-vqqr-fgmh-f626

Affected version: >=5.4.0,<5.5.6|>=5.3.0,<5.3.30|>=4.0.0,<4.13.54

Reported by:
GitHub

[MEDIUM] Contao affected by insert tag injection via canonical URL

PKSA-8psg-sb44-9n6y CVE-2024-45612 GHSA-2xpq-xp6c-5mgj

Affected version: >=5.4.0,<5.4.3|>=5.0.0,<5.3.15|>=4.13.0,<4.13.49

Reported by:
GitHub

[HIGH] Contao affected by remote command execution through file upload

PKSA-5k7g-byhd-8xrm CVE-2024-45398 GHSA-vm6r-j788-hjh5

Affected version: >=5.4.0,<5.4.3|>=5.0.0,<5.3.15|>=4.0.0,<4.13.49

Reported by:
GitHub