Cross site scripting via canonical tag
Description
Contao is a powerful open source CMS that allows you to create professional websites and scalable web applications. In versions of Contao prior to 4.13.3 it is possible to inject code into the canonical tag. As a workaround users may disable canonical tags in the root page settings.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Contao prior to 4.13.3 allows code injection into the canonical tag, enabling potential XSS attacks.
Vulnerability
Contao, an open source CMS, is vulnerable to code injection in the canonical tag. In versions prior to 4.13.3, attackers can inject arbitrary code into the canonical tag, which is used for SEO purposes. The vulnerability exists in the handling of canonical URLs, allowing injection without authentication. Affected versions: all Contao versions before 4.13.3. [1]
Exploitation
An attacker can exploit this vulnerability by crafting a request that includes malicious code as part of the canonical tag. No authentication is required, and the attack can be carried out over the network. The injected code is then reflected in the canonical tag output. [1]
Impact
Successful exploitation leads to potential Cross-Site Scripting (XSS) attacks. The attacker can inject arbitrary HTML or JavaScript into the page, potentially leading to session hijacking, defacement, or other malicious actions in the context of the affected site. [1]
Mitigation
The issue is fixed in Contao version 4.13.3. Users are advised to upgrade to this version or later. As a workaround, users can disable canonical tags in the root page settings until they can apply the patch. [1]
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
contao/core-bundlePackagist | >= 4.13.0, < 4.13.3 | 4.13.3 |
contao/contaoPackagist | >= 4.13.0, < 4.13.3 | 4.13.3 |
Affected products
3- ghsa-coords2 versions
>= 4.13.0, < 4.13.3+ 1 more
- (no CPE)range: >= 4.13.0, < 4.13.3
- (no CPE)range: >= 4.13.0, < 4.13.3
- contao/contaov5Range: < 4.13.3
Patches
1199206849a87Merge pull request from GHSA-m8x6-6r63-qvj2
1 file changed · +2 −2
core-bundle/src/Resources/contao/pages/PageRegular.php+2 −2 modified@@ -230,12 +230,12 @@ protected function prepare($objPage) $this->Template->pageTitle = str_replace('[-]', '', $this->Template->pageTitle); // Meta robots tag - $this->Template->robots = $headBag->getMetaRobots(); + $this->Template->robots = htmlspecialchars($headBag->getMetaRobots()); // Canonical if ($objPage->enableCanonical) { - $this->Template->canonical = $headBag->getCanonicalUriForRequest($request); + $this->Template->canonical = htmlspecialchars($headBag->getCanonicalUriForRequest($request)); } // Fall back to the default title tag
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-m8x6-6r63-qvj2ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-24899ghsaADVISORY
- contao.org/en/security-advisories/cross-site-scripting-via-canonical-url.htmlghsax_refsource_MISCWEB
- github.com/FriendsOfPHP/security-advisories/blob/master/contao/contao/CVE-2022-24899.yamlghsaWEB
- github.com/FriendsOfPHP/security-advisories/blob/master/contao/core-bundle/CVE-2022-24899.yamlghsaWEB
- github.com/contao/contao/commit/199206849a87ddd0fa5cf674eb3c58292fd8366cghsax_refsource_MISCWEB
- github.com/contao/contao/security/advisories/GHSA-m8x6-6r63-qvj2ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.