Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.
6.1

CVE-2022-24899: Contao versions before 4.13.3 allow malicious code in website URLs

GHSA-m8x6-6r63-qvj2 CVE-2022-24899
Summary

Older versions of Contao may allow hackers to inject code into a website's URL, potentially causing damage. This can be mitigated by updating to version 4.13.3 or higher, or by disabling canonical tags in the root page settings.

What to do
  • Update contao core-bundle to version 4.13.3.
  • Update contao contao to version 4.13.3.
Affected software
Ecosystem VendorProductAffected versions
composer contao core-bundle >= 4.13.0, < 4.13.3
Fix: upgrade to 4.13.3
composer contao contao >= 4.13.0, < 4.13.3
Fix: upgrade to 4.13.3
– contao contao >= 4.13.0, <= 4.13.2
cpe:2.3:a:contao:contao:*:*:*:*:*:*:*:*
Original title
Contao is a powerful open source CMS that allows you to create professional websites and scalable web applications. In versions of Contao prior to 4.13.3 it is possible to inject code into the cano...
Original description
Contao is a powerful open source CMS that allows you to create professional websites and scalable web applications. In versions of Contao prior to 4.13.3 it is possible to inject code into the canonical tag. As a workaround users may disable canonical tags in the root page settings.
ghsa CVSS3.1 7.2
Vulnerability type
CWE-79 Cross-site Scripting (XSS)
Published: 6 May 2022 · Updated: 15 Jun 2026 · First seen: 6 Mar 2026