Information disclosure in Contao - CVE-2025-57756
Published: May 5, 2026
Vulnerability identifier: #VU130146
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2025-57756
CWE-ID: CWE-200
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Contao
Affected software:
Contao
Contao
Detailed vulnerability description
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to exposure of sensitive information to an unauthorized actor in the front end search index when indexing protected content elements rendered as fragments. A remote attacker can search the front end search index to disclose sensitive information.
Only protected content elements that are rendered as fragments are exposed through the front end search.
How to mitigate CVE-2025-57756
Install security update from vendor's website.