Information Disclosure Vulnerability in Contao CMS
CVE-2025-57757

5.3MEDIUM

Key Information:

Vendor

Contao

Status
Contao
Vendor
CVE Published:
28 August 2025

What is CVE-2025-57757?

Contao CMS, an open-source content management system, contains a vulnerability where news items protected within the news archives are inadvertently exposed in the RSS feed. This issue affects versions ranging from 5.0.0 up to, but not including, 5.3.38 and 5.6.1. The vulnerability allows public access to sensitive information intended to be restricted. To protect against this risk, users should upgrade to the patched versions or implement a workaround by avoiding the addition of protected news archives to the news feed page.

Affected Version(s)

contao >= 5.0.0-RC1, < 5.3.38 < 5.0.0-RC1, 5.3.38

contao >= 5.4.0-RC1, < 5.6.1 < 5.4.0-RC1, 5.6.1

References

https://github.com/contao/contao/security/advisories/GHSA...
x_refsource_CONFIRM
https://github.com/contao/contao/commit/e75f46b11974fbf7a...
x_refsource_MISC
https://contao.org/en/security-advisories/information-dis...
x_refsource_MISC

CVSS V3.1

Score:
5.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2025-57757 : Information Disclosure Vulnerability in Contao CMS