Information disclosure in Contao - CVE-2025-57757
Published: May 5, 2026
Vulnerability identifier: #VU130145
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2025-57757
CWE-ID: CWE-200
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Contao
Affected software:
Contao
Contao
Detailed vulnerability description
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to exposure of sensitive information to an unauthorized actor in the news module RSS feed when generating feeds that contain protected news archives. A remote attacker can access an RSS feed containing protected news archives to disclose sensitive information.
News items from protected news archives are not filtered and can become publicly available in the RSS feed.
How to mitigate CVE-2025-57757
Install security update from vendor's website.