CVE-2025-57757

Published: Aug 28, 2025Modified: Sep 2, 2025

5.3

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Exploitability: 3.9 / Impact: 1.4

Source: security-advisories@github.com (Secondary)

Description

Contao is an Open Source CMS. In versions starting from 5.0.0 and prior to 5.3.38 and 5.6.1, if a news feed contains protected news archives, their news items are not filtered and become publicly available in the RSS feed. This issue has been patched in versions 5.3.38 and 5.6.1. A workaround involves not adding protected news archives to the news feed page.

Affected (2)

Products: Contao: Contao

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Contao Contao	From 5.3.0 to 5.3.38
Contao Contao	From 5.4.0 to 5.6.1

Related CWEs

Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Improper Removal of Sensitive Information Before Storage or Transfer

The product stores, transfers, or shares a resource that contains sensitive information, but it does not properly remove that information before the product makes the resource available to unauthorized actors.

References (3)

https://contao.org/en/security-advisories/information-disclosure-in-the-news-module

Source: security-advisories@github.com

Vendor Advisory

https://github.com/contao/contao/commit/e75f46b11974fbf7a4652e65c19ad6ca84c59271

Source: security-advisories@github.com

Patch

https://github.com/contao/contao/security/advisories/GHSA-w53m-gxvg-vx7p

Source: security-advisories@github.com

PatchThird Party Advisory

Timeline

No history available yet.