Plattform
php
Komponente
contao/core-bundle
Behoben in
5.3.1
5.4.1
5.3.38
CVE-2025-57759 is a privilege escalation vulnerability affecting Contao CMS versions 5.3.9 and earlier. This allows unauthorized backend users to modify page and article fields, potentially leading to content manipulation and website defacement. Affected versions include those prior to 5.3.38 and 5.6.1. An update to a patched version is required to remediate this issue.
The primary impact of CVE-2025-57759 is unauthorized modification of content within a Contao CMS installation. An attacker with backend access, even with limited privileges, could leverage this vulnerability to alter page content, article text, or other editable fields. This could lead to defacement of the website, propagation of misinformation, or manipulation of user data. The blast radius is limited to the content accessible through the CMS, and lateral movement is not directly facilitated by this vulnerability. The potential for damage depends on the sensitivity of the content managed within the Contao CMS.
This vulnerability was publicly disclosed on August 28, 2025. There is no indication of active exploitation or inclusion on the CISA KEV catalog at the time of writing. Public proof-of-concept code is not currently available, but the relatively straightforward nature of the vulnerability suggests that it may be developed in the future. The vulnerability's impact is contingent on an attacker already having authenticated access to the Contao CMS backend.
Websites and organizations using Contao CMS versions 5.3.9 and earlier are at risk. This includes those running shared hosting environments where CMS updates are not managed by the hosting provider. Those with custom Contao installations or legacy configurations are particularly vulnerable if they have not been proactively monitoring security advisories.
• php / server:
find /var/www/contao/ -name 'contao/core-bundle' -type d• php / server:
ps aux | grep -i contao• generic web: Check Contao CMS version exposed in HTTP headers or website footer.
disclosure
Exploit-Status
EPSS
0.04% (11% Perzentil)
CISA SSVC
CVSS-Vektor
The definitive mitigation for CVE-2025-57759 is to upgrade your Contao CMS installation to version 5.3.38 or 5.6.1. Given the lack of workarounds, immediate patching is crucial. If an upgrade is not immediately feasible due to compatibility concerns or breaking changes, consider temporarily restricting access to the backend and carefully reviewing user permissions to minimize the potential impact. There are no specific WAF or proxy rules that can effectively mitigate this vulnerability without patching the underlying CMS. After upgrading, confirm the fix by attempting to edit a page or article with a user account that should not have editing permissions; the action should be denied.
Actualice Contao a la versión 5.3.38 o superior. Esta actualización corrige la vulnerabilidad de gestión de privilegios que permite a usuarios no autorizados editar campos de páginas y artículos. La actualización se puede realizar a través del administrador de Contao o descargando la nueva versión del sitio web oficial.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-57759 is a vulnerability in Contao CMS versions 5.3.9 and earlier that allows unauthorized backend users to edit page and article fields.
You are affected if you are using Contao CMS versions 5.3.9 or earlier. Upgrade to 5.3.38 or 5.6.1 to mitigate the risk.
Upgrade Contao CMS to version 5.3.38 or 5.6.1. There are no workarounds available.
There is currently no indication of active exploitation, but it's possible attackers may develop exploits in the future.
Refer to the Contao GitHub issue tracker: https://github.com/contao/contao/issues/new/choose
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.