CVE-2025-57758

low-risk

Published 2025-08-28

Contao is an Open Source CMS. In versions starting from 5.0.0 and prior to 5.3.38 and 5.6.1, the table access voter in the back end doesn't check if a user is allowed to access the corresponding module. This issue has been patched in versions 5.3.38 and 5.6.1. A workaround involves not relying solely on the voter and additionally to check USER_CAN_ACCESS_MODULE.

Do I need to act?

0.04% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 4.3/10 Medium

NETWORK / LOW complexity

Affected Products (1)

Contao

Affected Vendors

Contao

References (3)

Vendor Advisory https://contao.org/en/security-advisories/improper-access-control-in-the-back-en...

Patch https://github.com/contao/contao/commit/3f05c603e1c94d34819f837f060df5d66447d0d7

Third Party Advisory https://github.com/contao/contao/security/advisories/GHSA-7m47-r75r-cx8v

/ 100

low-risk

Severity 18/34 · Moderate

Exploitability 0/34 · Minimal

Exposure 5/34 · Minimal