CVE-2025-57759

Published: Aug 28, 2025Modified: Sep 2, 2025

4.3

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Exploitability: 2.8 / Impact: 1.4

Source: security-advisories@github.com (Secondary)

Description

Contao is an Open Source CMS. In versions starting from 5.3.0 and prior to 5.3.38 and 5.6.1, under certain conditions, back end users may be able to edit fields of pages and articles without having the necessary permissions. This issue has been patched in versions 5.3.38 and 5.6.1. There are no workarounds.

Affected (2)

Products: Contao: Contao

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Contao Contao	From 5.3.0 to 5.3.38
Contao Contao	From 5.4.0 to 5.6.1

Related CWEs

Improper Privilege Management

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

References (3)

https://contao.org/en/security-advisories/improper-privilege-management-for-page-and-article-fields

Source: security-advisories@github.com

Vendor Advisory

https://github.com/contao/contao/commit/80ee7db12d55ad979d9b1b180f273d4e2668851f

Source: security-advisories@github.com

Patch

https://github.com/contao/contao/security/advisories/GHSA-qqfq-7cpp-hcqj

Source: security-advisories@github.com

PatchThird Party Advisory

Timeline

No history available yet.