Description
Contao 4.0 through 4.8.5 allows PHP local file inclusion. A back end user with access to the form generator can upload arbitrary files and execute them on the server.
Remediation
References
Related Vulnerabilities
Moodle Missing Authorization Vulnerability (CVE-2019-14883)
Apache Tomcat Other Vulnerability (CVE-2001-0590)
MongoDb Improper Authorization Vulnerability (CVE-2025-6713)
WordPress Plugin Gravity Forms Salesforce Cross-Site Scripting (1.2.4)
WordPress Plugin Portfolio Gallery-Image Gallery Cross-Site Request Forgery (1.1.2)