CVE-2025-57756
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-08-28

Last updated on: 2025-09-02

Assigner: GitHub, Inc.

Description
Contao is an Open Source CMS. In versions starting from 4.9.14 and prior to 4.13.56, 5.3.38, and 5.6.1, protected content elements that are rendered as fragments are indexed and become publicly available in the front end search. This issue has been patched in versions 4.13.56, 5.3.38, and 5.6.1. A workaround involves disabling the front end search.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-08-28
Last Modified
2025-09-02
Generated
2026-06-16
AI Q&A
2025-08-28
EPSS Evaluated
2026-06-14
NVD
CVE-2025-57756
EUVD
EUVD-2025-26127
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
contao contao From 4.9.0 (inc) to 4.9.14 (inc)
contao contao From 4.10.0 (inc) to 4.13.56 (exc)
contao contao From 5.0.0 (inc) to 5.3.38 (exc)
contao contao From 5.4.0 (inc) to 5.6.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-612 The product creates a search index of private or sensitive documents, but it does not properly limit index access to actors who are authorized to see the original information.
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-57756 is an information disclosure vulnerability in the Contao CMS where protected content elements that are rendered as fragments are improperly indexed by the front end search feature. This causes these protected contents to become publicly accessible through the search, even though they should remain restricted. The issue affects multiple versions of Contao prior to patched releases and can be mitigated by upgrading or disabling the front end search. [1, 2]

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive or protected content on your website, as the front end search index exposes content that should remain private. This means that anyone using the search feature can access information that was intended to be restricted, potentially leading to data leaks or exposure of confidential information. [1, 2]

Compliance Impact

The vulnerability can negatively impact compliance with data protection regulations such as GDPR and HIPAA because it allows unauthorized access to protected or sensitive information. Exposure of such data through the front end search could constitute a breach of confidentiality requirements mandated by these standards, potentially leading to legal and regulatory consequences. [2]

Detection Guidance

This vulnerability can be detected by checking if protected content elements are being indexed and publicly accessible through the front end search feature of Contao CMS. Since the issue involves protected content fragments appearing in search results, you can test the front end search functionality for exposure of sensitive or protected content. There are no specific commands provided in the resources, but a practical approach is to perform searches on the front end of the affected Contao site to see if protected content appears. Additionally, reviewing the Contao version installed can help identify if it is within the vulnerable range (4.9.14 up to 4.13.55, 5.3 up to 5.3.37, or 5.6 up to 5.6.0). [1, 2]

Mitigation Strategies

Immediate mitigation steps include upgrading Contao CMS to the patched versions 4.13.56, 5.3.38, or 5.6.1, which fix the issue by preventing protected content fragments from being indexed. If upgrading immediately is not possible, a recommended workaround is to disable the front end search feature to prevent protected content from being exposed through search results. [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-57756. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart