Platform
php
Component
contao/core-bundle
Fixed in
5.3.1
5.4.1
5.3.38
CVE-2025-57759 is a privilege escalation vulnerability affecting Contao CMS versions 5.3.9 and earlier. This allows unauthorized backend users to modify page and article fields, potentially leading to content manipulation and website defacement. Affected versions include those prior to 5.3.38 and 5.6.1. An update to a patched version is required to remediate this issue.
The primary impact of CVE-2025-57759 is the potential for unauthorized modification of website content. An attacker with access to the Contao CMS backend, even with limited permissions, could exploit this vulnerability to alter page and article fields. This could involve changing text, images, links, or other content, effectively hijacking the website's narrative or redirecting users to malicious destinations. The blast radius is limited to the affected website and its users, but the consequences can be significant, including reputational damage, loss of user trust, and potential legal liabilities. This vulnerability highlights the importance of enforcing strict permission controls within the CMS and regularly updating to the latest stable versions.
CVE-2025-57759 was publicly disclosed on August 28, 2025. There is currently no indication of active exploitation or a KEV listing. No public proof-of-concept exploits are known at this time. Given the relatively straightforward nature of privilege escalation vulnerabilities, it is possible that attackers may develop and deploy exploits in the future.
Exploit Status
EPSS
0.04% (11% percentile)
CISA SSVC
CVSS Vector
The definitive mitigation for CVE-2025-57759 is to upgrade Contao CMS to version 5.3.38 or 5.6.1. These versions include the necessary fixes to prevent unauthorized field editing. As there are no workarounds, applying the update is the only viable solution. Before upgrading, it is recommended to create a full backup of the website, including the database and files. After the upgrade, thoroughly test all website functionality to ensure compatibility and identify any potential issues. Confirm the fix by attempting to access and modify page/article fields with a user account that should not have those permissions.
Actualice Contao a la versión 5.3.38 o superior. Esta actualización corrige la vulnerabilidad de gestión de privilegios que permite a usuarios no autorizados editar campos de páginas y artículos. La actualización se puede realizar a través del administrador de Contao o descargando la nueva versión del sitio web oficial.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-57759 is a vulnerability in Contao CMS versions 5.3.9 and earlier that allows unauthorized backend users to edit page and article fields.
You are affected if you are using Contao CMS versions 5.3.9 or earlier. Upgrade to 5.3.38 or 5.6.1 to mitigate the risk.
Upgrade Contao CMS to version 5.3.38 or 5.6.1. There are no workarounds available.
There is currently no indication of active exploitation, but it's possible attackers may develop exploits in the future.
Refer to the Contao GitHub issue tracker: https://github.com/contao/contao/issues/new/choose
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.