5.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-57756

GHSA ID

GHSA-2xmj-8wmq-7475

EPSS Score

CWE

CWE-200

Published

8/28/2025

Updated

8/28/2025

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-57756

CVE-2025-57756: Contao discloses sensitive information in the front end search index

Impact

Protected content elements that are rendered as fragments are indexed and become publicly available in the front end search.

Patches

Update to Contao 4.13.56, 5.3.38 or 5.6.1.

Workarounds

Disable the front end search.

For more information

If you have any questions or comments about this advisory, open an issue in contao/contao.

(GitHub Advisory)

5.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-57756

GHSA ID

GHSA-2xmj-8wmq-7475

EPSS Score

CWE

CWE-200

Published

8/28/2025

Updated

8/28/2025

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
contao/core-bundle	composer	>= 4.9.14, < 4.13.56	4.13.56
contao/contao	composer	>= 4.9.14, < 4.13.56	4.13.56
contao/core-bundle	composer	>= 5.0.0-RC1, < 5.3.38	5.3.38
contao/core-bundle	composer	>= 5.4.0-RC1, < 5.6.1	5.6.1
contao/contao	composer	>= 5.0.0-RC1, < 5.3.38	5.3.38
contao/contao	composer	>= 5.4.0-RC1, < 5.6.1	5.6.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability lies in the incorrect implementation of protection checks within the Contao core bundle. Specifically, the getFrontendModule and getContentElement functions in Contao\Controller were using the wrong object variables ($objModule and $objElement respectively) to verify if a module or content element was marked as protected. The patch corrects this by using the $objRow object, which accurately reflects the protection status. As a result of this flaw, content that was intended to be restricted was instead being indexed by the search system, making it accessible to unauthorized users through the front-end search interface. The identified functions are directly responsible for this information leak as they contain the flawed conditional logic that was bypassed.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t Prot**t** *ont*nt *l*m*nts t**t *r* r*n**r** *s *r**m*nts *r* in**x** *n* ***om* pu*li*ly *v*il**l* in t** *ront *n* s**r**. ### P*t***s Up**t* to *ont*o *.**.**, *.*.** or *.*.*. ### Work*roun*s *is**l* t** *ront *n* s**r**. ### *or

Reasoning

T** vuln*r**ility li*s in t** in*orr**t impl*m*nt*tion o* prot**tion ****ks wit*in t** *ont*o *or* *un*l*. Sp**i*i**lly, t** `**t*ront*n*Mo*ul*` *n* `**t*ont*nt*l*m*nt` *un*tions in `*ont*o\*ontroll*r` w*r* usin* t** wron* o*j**t v*ri**l*s (`$o*jMo*u

5.3

Basic Information

Concerned about an active attack path?

CVE-2025-57756: Contao discloses sensitive information in the front end search index

Impact

Patches

Workarounds

For more information

5.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI