Cross-site scripting in Contao - CVE-2023-36806
Published: July 25, 2023 / Updated: May 5, 2026
Vulnerability identifier: #VU130134
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
CVE-ID: CVE-2023-36806
CWE-ID: CWE-79
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Contao
Affected software:
Contao
Contao
Detailed vulnerability description
The vulnerability allows a remote user to execute malicious script in the back end preview and on the website.
The vulnerability exists due to cross-site scripting in widgets with units when processing user-supplied widget content. A remote user can inject malicious code to execute malicious script in the back end preview and on the website.
User interaction is required for the malicious script to be executed.
How to mitigate CVE-2023-36806
Install security update from vendor's website.