It is possible to inject insert tags in canonical URLs which will be replaced when the page is rendered.
Update to Contao 4.13.49, 5.3.15 or 5.4.3.
Disable canonical tags in the settings of the website root page.
https://contao.org/en/security-advisories/insert-tag-injection-via-canonical-urls
If you have any questions or comments about this advisory, open an issue in contao/contao.