Insert tag injection via canonical URL in Contao
Description
Contao is an Open Source CMS. In affected versions an untrusted user can inject insert tags into the canonical tag, which are then replaced on the web page (front end). Users are advised to update to Contao 4.13.49, 5.3.15 or 5.4.3. Users unable to upgrade should disable canonical tags in the root page settings.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Contao CMS allows insert tag injection via canonical URLs, enabling unauthenticated attackers to execute arbitrary insert tags on the front end.
Vulnerability
Overview Contao CMS versions prior to 4.13.49, 5.3.15, and 5.4.3 are vulnerable to an insert tag injection through the canonical tag. The headBag::getCanonicalUriForRequest method returns a URL that is used in the HTML ` tag without sanitizing insert tags. An untrusted user can inject insert tags (e.g., {{some_tag}}`) into the canonical URL, which are then processed and replaced by Contao's insert tag engine on the front end [1].
Exploitation
An attacker with the ability to influence the canonical URL (e.g., by manipulating request parameters or via other injection points) can inject arbitrary insert tags. The vulnerability requires no authentication and has low attack complexity, as described in the associated GitHub Security Advisory [3]. The injection occurs during page rendering, and the attacker's payload is evaluated server-side.
Impact
Successful exploitation allows an attacker to execute arbitrary insert tags, which can lead to content injection, data leakage, or other unintended behaviors depending on the available insert tag functionality. The severity is compounded by the fact that insert tags in Contao can perform sensitive operations such as including templates or fetching data [3].
Mitigation
Users are advised to update to Contao 4.13.49, 5.3.15, or 5.4.3, which include a fix that escapes braces ({, }) in the canonical URL to prevent insert tag processing [4]. If upgrading is not immediately possible, disabling canonical tags in the root page settings provides a workaround [1].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
contao/core-bundlePackagist | >= 4.13.0, < 4.13.49 | 4.13.49 |
contao/core-bundlePackagist | >= 5.0.0, < 5.3.15 | 5.3.15 |
contao/core-bundlePackagist | >= 5.4.0, < 5.4.3 | 5.4.3 |
Affected products
2- contao/contaov5Range: >= 4.13.0, < 4.13.49
Patches
31 file changed · +4 −1
core-bundle/contao/pages/PageRegular.php+4 −1 modified@@ -221,7 +221,10 @@ private function prepare($objPage) // Canonical if ($objPage->enableCanonical) { - $this->Template->canonical = htmlspecialchars($headBag->getCanonicalUriForRequest($request), ENT_QUOTES | ENT_SUBSTITUTE | ENT_HTML5); + $this->Template->canonical = htmlspecialchars( + str_replace(array('{', '}'), array('%7B', '%7D'), $headBag->getCanonicalUriForRequest($request)), + ENT_QUOTES | ENT_SUBSTITUTE | ENT_HTML5 + ); } // Fall back to the default title tag
1 file changed · +4 −1
core-bundle/contao/pages/PageRegular.php+4 −1 modified@@ -221,7 +221,10 @@ private function prepare($objPage) // Canonical if ($objPage->enableCanonical) { - $this->Template->canonical = htmlspecialchars($headBag->getCanonicalUriForRequest($request), ENT_QUOTES | ENT_SUBSTITUTE | ENT_HTML5); + $this->Template->canonical = htmlspecialchars( + str_replace(array('{', '}'), array('%7B', '%7D'), $headBag->getCanonicalUriForRequest($request)), + ENT_QUOTES | ENT_SUBSTITUTE | ENT_HTML5 + ); } // Fall back to the default title tag
ffe05cda5310Merge commit from fork
1 file changed · +4 −1
core-bundle/src/Resources/contao/pages/PageRegular.php+4 −1 modified@@ -239,7 +239,10 @@ protected function prepare($objPage) // Canonical if ($objPage->enableCanonical) { - $this->Template->canonical = htmlspecialchars($headBag->getCanonicalUriForRequest($request), ENT_QUOTES | ENT_SUBSTITUTE | ENT_HTML5); + $this->Template->canonical = htmlspecialchars( + str_replace(array('{', '}'), array('%7B', '%7D'), $headBag->getCanonicalUriForRequest($request)), + ENT_QUOTES | ENT_SUBSTITUTE | ENT_HTML5 + ); } // Fall back to the default title tag
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-2xpq-xp6c-5mgjghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-45612ghsaADVISORY
- contao.org/en/security-advisories/insert-tag-injection-via-canonical-urlsghsax_refsource_MISCWEB
- github.com/contao/contao/commit/1c28e9ac7a7b915134962a59681a8701a44ccbe2ghsaWEB
- github.com/contao/contao/commit/d105224e14ddc84f27cd8802b553369decdcbe66ghsaWEB
- github.com/contao/contao/commit/ffe05cda5310dc2bd259d1391197f3849dab8590ghsaWEB
- github.com/contao/contao/security/advisories/GHSA-2xpq-xp6c-5mgjghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.