Primary

Context

Contao Information Disclosure Vulnerability in News Module

Vulnerability

Patched

A vulnerability allowing information disclosure has been identified in Contao versions 5.0.0 through 5.3.37, as well as 5.4 and 5.5. When a news feed includes protected news archives, the corresponding news items are not properly filtered, resulting in their public availability via the RSS feed. This issue has been addressed in Contao versions 5.3.38 and 5.6.1. Users can apply the workaround of not including protected news archives in the news feed page.

Impact

Exploitation of this vulnerability allows protected news items to be publicly disclosed in the RSS feed, creating an unauthorized information exposure risk.

Reproduction

The vulnerability can be reproduced by creating a news feed that includes protected news archives. The unfiltered news items from these archives will then be publicly accessible in the RSS feed.

Remediation

To address this vulnerability, users should update to Contao versions 5.3.38 or 5.6.1.

Added: Aug 28, 2025, 5:23 PM

Updated: Aug 28, 2025, 5:23 PM

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

2.5

exploitability

9.3

remediation

8.3

relevance

0.4

threat

4.8

urgency

2.9

incentive

10.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

2.5

exploitability

9.3

remediation

8.3

relevance

0.4

threat

4.8

urgency

2.9

incentive

10.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Contao Information Disclosure Vulnerability in News Module

Vulnerability

Impact

Reproduction

Remediation

Affected Products

Contao

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating