Contao is a powerful open source CMS that allows you to create professional websites and scalable web applications. In versions of Contao prior to 4.13.3 it is possible to inject code into the canonical tag. As a workaround users may disable canonical tags in the root page settings.


Cross site scripting via canonical URL


leofeyer published GHSA-m8x6-6r63-qvj2

May 5, 2022


composer contao/core-bundle ( Composer )

Affected versions

>= 4.13.0

Patched versions




Untrusted users can inject malicious code into the canonical tag, which is then executed on the web page (front end).


Update to Contao 4.13.3.


Disable canonical tags in the root page settings.


For more information

If you have any questions or comments about this advisory, open an issue in contao/contao.




/ 10

CVSS base metrics

Attack vector


Attack complexity


Privileges required


User interaction















