The issue, however, is not finding an answer to that question, but rather the question itself! 😉 Here is our opinion on why you shouldn't think about it for too long:
Of course, you could try to analyse the vulnerability and understand how it can be exploited – provided you have the necessary expertise (and a little time to do so). Then you would have to check every single Contao installation to see if it is vulnerable. If your installation is affected, you have to install the update. Even if it isn't, the problem isn't permanently solved, because websites are usually a constant work in progress and circumstances can change quickly.
Let's assume that the vulnerability can only be exploited if you have a form on your website. Currently, this is not the case, so you think the installation is safe. And remember: according to data protection laws in some countries, you also have to document why you did not install the security update. A few weeks later, the customer gets in touch with you and requires a contact form, so you set it up. Suddenly the situation has changed and the update becomes relevant after all. Oops!
Now you might argue that this doesn't happen to you and you'll remember to update in such a case. But that's not the point. The entire process we've described is so time-consuming that you shouldn't ask yourself these questions. Just install the update!
If you have maintenance contracts with your customers and also use trakked, the whole update only takes a few minutes, depending on the number of installations.
That's why our answer to this question is ALWAYS: Install the update! It couldn't be any easier.