contao/core-bundle Security Advisories for 5.6.0-RC1 (8)
-
Server-side request forgery (SSRF) via unvalidated RSS feed URLs
PKSA-yx24-z15d-x2k7 CVE-2026-57232
Affected version: >=5.3.35,<5.3.48|>=5.4.0,<5.7.9
Reported by:
FriendsOfPHP/security-advisories -
Credentials disclosure in the crawler
PKSA-f8tt-pn3h-s2tw CVE-2026-55824
Affected version: >=4.13.0,<5.3.47|>=5.4.0,<5.7.7
Reported by:
FriendsOfPHP/security-advisories -
[LOW] Contao is vulnerable to cross-site scripting in templates
PKSA-3p5h-vgz7-458z CVE-2025-65961 GHSA-68q5-78xp-cwwc
Affected version: >=5.4.0-RC1,<5.6.5|>=5.0.0-RC1,<5.3.42|>=4.0.0,<4.13.57
Reported by:
GitHub -
[MEDIUM] Contao is vulnerable to remote code execution in template closures
PKSA-wjhx-cdbz-9x61 CVE-2025-65960 GHSA-98vj-mm79-v77r
Affected version: >=5.4.0-RC1,<5.6.5|>=5.0.0-RC1,<5.3.42|>=4.0.0,<4.13.57
Reported by:
GitHub -
[MEDIUM] Contao does not properly manage privileges for page and article fields
PKSA-4m99-84h8-dntz CVE-2025-57759 GHSA-qqfq-7cpp-hcqj
Affected version: >=5.4.0-RC1,<5.6.1|>=5.3.0,<5.3.38
Reported by:
GitHub -
[MEDIUM] Contao can disclose sensitive information in the news module
PKSA-v6p5-ssqr-1zcw CVE-2025-57757 GHSA-w53m-gxvg-vx7p
Affected version: >=5.4.0-RC1,<5.6.1|>=5.0.0-RC1,<5.3.38
Reported by:
GitHub -
[MEDIUM] Contao discloses sensitive information in the front end search index
PKSA-66g4-yhz3-k3zh CVE-2025-57756 GHSA-2xmj-8wmq-7475
Affected version: >=5.4.0-RC1,<5.6.1|>=5.0.0-RC1,<5.3.38|>=4.9.14,<4.13.56
Reported by:
GitHub -
[MEDIUM] Contao applies improper access control in the back end voters
PKSA-c2g8-xqxr-4cjw CVE-2025-57758 GHSA-7m47-r75r-cx8v
Affected version: >=5.4.0-RC1,<5.6.1|>=5.0.0,<5.3.38
Reported by:
GitHub