Loading HuntDB...

Hunt

Vulnerability Intelligence by wss.sh

Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News

More Sources

HackerOne Reports

Bug bounty disclosures

WordPress Vulnerabilities

WordPress plugins & themes

Tools & Data

Trending Insights

Popular vulnerabilities

GHSA-vm6r-j788-hjh5

GitHub Security Advisory

Contao affected by remote command execution through file upload

✓ GitHub Reviewed HIGH Has CVE

View on GitHub

Advisory Details

### Impact

Back end users with access to the file manager can upload malicious files and execute them on the server.

### Patches

Update to Contao 4.13.49, 5.3.15 or 5.4.3.

### Workarounds

Configure your web server so it does not execute PHP files and other scripts in the Contao file upload directory.

### References

https://contao.org/en/security-advisories/remote-command-execution-through-file-uploads

### For more information

If you have any questions or comments about this advisory, open an issue in [contao/contao](https://github.com/contao/contao/issues/new/choose).

### Credits

Thanks to Jakob Steeg from usd AG for reporting this vulnerability.

Affected Packages

Packagist contao/core-bundle

Affected versions: 4.0.0 (fixed in 4.13.49)

Packagist contao/core-bundle

Affected versions: 5.0.0 (fixed in 5.3.15)

Packagist contao/core-bundle

Affected versions: 5.4.0 (fixed in 5.4.3)

Related CVEs

CVE-2024-45398

Key Information

GHSA ID

GHSA-vm6r-j788-hjh5

Published

September 17, 2024 2:58 PM

Last Modified

September 17, 2024 10:24 PM

CVSS Score

7.5 /10

Primary Ecosystem

Packagist

Primary Package

contao/core-bundle

GitHub Reviewed

✓ Yes

Dataset

Last updated: July 28, 2025 6:37 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.