Contao 5.3.47 released

Contao 5.3.47, a new version of the Contao open source CMS, has been released.

This release primarily focuses on security and reliability improvements. It addresses a vulnerability in the Contao crawler that could expose authentication credentials to external hosts and further tightens the execution scope of web-triggered cron jobs and workers. In addition, image search results have been improved, HTML-to-text conversion has been refined by excluding style and script content, and several issues related to authentication workflows have been resolved, including the handling of two-factor authentication during impersonation.

Security vulnerability closed:

Contao crawler leaks auth credentials to external hosts (CVE-2026-55824)

Changelog of the fixed issues in Contao 5.3.47:

#9894 Support the form attribute in widgets ( aschempp )
#9900 Fix an issue with adding multiple ptable conditions to $strWhere ( lukasbableck )
#9903 Use the correct sitemap namespace identifier ( lukasbableck )
#9888 Convert binary UUIDs in user insert tag ( fritzmg )
#8688 Remove newsletter deny list entries upon activation ( de-es )
#9879 Generate panel in DC_Folder before adding messages ( lukasbableck )
#9878 Check ptable when fetching child records ( lukasbableck )
#9880 Enable cache invalidation in dev ( fritzmg )
#9875 Simplify converting the backend headline to the page title ( leofeyer )
#9848 Restrict web-triggered cron/worker execution to the Contao scope ( Toflar )
#9868 Allow version 4 of spatie/schema-org ( leofeyer )
#9850 Fix non-DBAFS images not appearing in the search results ( qzminski )
#9847 Simplify the search index listener ( Toflar )
#9841 Remove <style> and <script> content when converting HTML to plain text ( lukasbableck )
#9844 Do not enforce 2FA when impersonated ( aschempp )
#9819 Support self-closing tags in the Input::stripAttributes() method ( leofeyer )
#9823 Add a trace to the maximum insert tag nesting level exception ( Toflar )
#9812 Allow a lower --time-limit for messenger workers ( fritzmg )
#9811 Add an attributes variable to the player.html.twig template ( fritzmg )
#9795 Correctly set the poster URL in the PlayerController ( leofeyer )
#9783 Fix setting integer properties on models to invalid types ( ausi )
#9779 Improve the support and documentation of sizes=auto in images ( ausi )
#9787 Use the null-safe operator for getBaseUrl() and getBasePath() ( Toflar )

Vulnerability details

The full post is only visible for trakked customers

Already a customer?
Log in now

You would like to become a customer?
Test trakked now

About Contao 5.3 LTS

The first stable version of Contao 5.3 has been released on February 16, 2024, replacing Contao 4.13 as the long term support version. As an LTS version, 5.3 will be provided with bug fixes until February 14, 2027 and security-related updates until February 14, 2028. Contao 5.7 is the next LTS version of Contao and was released in February 2026, ensuring a smooth transition.

Bjarke Ammann

Bjarke takes care of the website and support. If you like reading, you might have come across his Contao Two Month Review or found an answer to your question in the official Contao user manual. He also makes sure that Contao enthusiasts from Switzerland meet regularly to exchange ideas. He loves culinary delights, good music and exercise in the fresh air.

Contao 5.3.47 released

Changelog of the fixed issues in Contao 5.3.47:

Vulnerability details

The full post is only visible for trakked customers

About Contao 5.3 LTS

Bjarke Ammann

Add a comment

Latest posts

Changelog of the fixed issues in Contao 5.3.47:

Vulnerability details

The full post is only visible for trakked customers

About Contao 5.3 LTS

Newsletter

Bjarke Ammann

Add a comment

Latest posts

Contao 5.3.47 released

Contao 5.7.7 released

Contao 5.7.6 released