CVE-2025-57756

MEDIUM

Contao 4.9.14-4.13.55, 5.3.0-5.3.37, 5.6.0 - Unauthorized Sensitive Information Exposure via Front-End Search Index

Title source: llm
STIX 2.1

Description

Contao is an Open Source CMS. In versions starting from 4.9.14 and prior to 4.13.56, 5.3.38, and 5.6.1, protected content elements that are rendered as fragments are indexed and become publicly available in the front end search. This issue has been patched in versions 4.13.56, 5.3.38, and 5.6.1. A workaround involves disabling the front end search.

Scores

CVSS v3 5.3
EPSS 0.0027
EPSS Percentile 18.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact partial

Details

CWE
CWE-200 CWE-612
Status published
Products (3)
contao/contao 4.9.0 - 4.9.14
contao/contao 4.9.14 - 4.13.56Packagist
contao/core-bundle 4.9.14 - 4.13.56Packagist
Published Aug 28, 2025
Tracked Since Feb 18, 2026