Hi, I have discovered a vulnerability that might lead to code execution in Contao CMS <= 3.2.4 Contao CMS <= 3.2.4 does not properly validate user input in several locations which is then passed directly into PHP's unserialize. This has been fixed in Contao 2.3.5 as per commit: https://github.com/contao/core/commit/8c9cb044bdc887a8202bb65a64545c025664f957 and https://github.com/contao/core/commit/1717336598fdcf1ed3f4ad488e140147cb31516d Announcements can be found at https <https://contao.org/en/news/contao-3_2_5.html>://<https://contao.org/en/news/contao-3_2_5.html> contao.org <https://contao.org/en/news/contao-3_2_5.html>/<https://contao.org/en/news/contao-3_2_5.html> en <https://contao.org/en/news/contao-3_2_5.html>/news/<https://contao.org/en/news/contao-3_2_5.html> contao <https://contao.org/en/news/contao-3_2_5.html>-3_2_5.<https://contao.org/en/news/contao-3_2_5.html> html <https://contao.org/en/news/contao-3_2_5.html> https <https://contao.org/en/news/contao-2_11_14.html>://<https://contao.org/en/news/contao-2_11_14.html> contao.org <https://contao.org/en/news/contao-2_11_14.html>/<https://contao.org/en/news/contao-2_11_14.html> en <https://contao.org/en/news/contao-2_11_14.html>/news/<https://contao.org/en/news/contao-2_11_14.html> contao <https://contao.org/en/news/contao-2_11_14.html>-2_11_14.<https://contao.org/en/news/contao-2_11_14.html> html <https://contao.org/en/news/contao-2_11_14.html> Thanks to the Contao developers for being so responsive. The full report can be found at my repo in https://github.com/pedrib/PoC/blob/master/contao-3.2.4.txt Can you please assign a CVE for the vulnerability described above? Thanks in advance. Regards, Pedro Ribeiro Agile Information Security