CVE-2025-65961 LOW

CVE-2025-65961: Contao is vulnerable to cross-site scripting in templates

Vendor Contao
Product contao
Weakness CWE-87
Published November 25, 2025
Last update November 25, 2025

CVSS base score

3.3/10
Attack vector Network
Attack complexity High
Privileges required High
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N

What the vulnerability does

01Description

Contao is an Open Source CMS. From version 4.0.0 to before 4.13.57, before 5.3.42, and before 5.6.5, it is possible to inject code into the template output that will be executed in the browser in the front end and back end. This issue has been patched in versions 4.13.57, 5.3.42, and 5.6.5. A workaround for this issue involves not using the affected templates or patch them manually.

Key dates

02Disclosure timeline

November 25, 2025 CVE published
November 25, 2025 Record updated