CVE-2021-35955
Description
Contao >=4.0.0 allows backend XSS via HTML attributes to an HTML field. Fixed in 4.4.56, 4.9.18, 4.11.7.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Contao 4.0.0 and later vulnerable to backend stored XSS via crafted HTML attributes in an HTML field; fixed in 4.4.56, 4.9.18, 4.11.7.
Vulnerability
Contao versions 4.0.0 to 4.4.55, 4.9.0 to 4.9.17, and 4.11.0 to 4.11.6 suffer from a backend cross-site scripting (XSS) vulnerability in the HTML field. An attacker can inject malicious JavaScript via HTML attributes when editing content in the backend.
Exploitation
An attacker needs backend access with privileges to edit content (e.g., a user or admin role). The attacker crafts an HTML string containing a malicious event handler attribute (e.g., onload, onclick) and stores it in an HTML field. When the field is rendered in the backend interface, the XSS executes.
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the backend, potentially leading to session hijacking, data theft, or actions performed as the victim user.
Mitigation
Upgrade to Contao 4.4.56, 4.9.18, or 4.11.7 or later [1]. No workarounds are mentioned. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog as of the publication date.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
contao/core-bundlePackagist | >= 4.0.0, < 4.4.56 | 4.4.56 |
contao/contaoPackagist | >= 4.0.0, < 4.4.56 | 4.4.56 |
contao/contaoPackagist | >= 4.5.0, < 4.9.18 | 4.9.18 |
contao/contaoPackagist | >= 4.10.0, < 4.11.7 | 4.11.7 |
contao/core-bundlePackagist | >= 4.5.0, < 4.9.18 | 4.9.18 |
contao/core-bundlePackagist | >= 4.10.0, < 4.11.7 | 4.11.7 |
Affected products
3- Contao/Contaodescription
- ghsa-coords2 versions
>= 4.0.0, < 4.4.56+ 1 more
- (no CPE)range: >= 4.0.0, < 4.4.56
- (no CPE)range: >= 4.0.0, < 4.4.56
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- github.com/advisories/GHSA-hr3h-x6gq-rqcpghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-35955ghsaADVISORY
- contao.org/en/news/contao-4-9-16-and-4-11-5-are-available.htmlghsax_refsource_MISCWEB
- contao.org/en/security-advisories/cross-site-scripting-via-html-attributes-in-the-back-end.htmlghsaWEB
- github.com/FriendsOfPHP/security-advisories/blob/master/contao/contao/CVE-2021-35955.yamlghsaWEB
- github.com/FriendsOfPHP/security-advisories/blob/master/contao/core-bundle/CVE-2021-35955.yamlghsaWEB
- github.com/contao/contao/security/advisories/GHSA-hr3h-x6gq-rqcpghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.