CVE-2025-65961
25.11.2025, 19:15
Contao is an Open Source CMS. From version 4.0.0 to before 4.13.57, before 5.3.42, and before 5.6.5, it is possible to inject code into the template output that will be executed in the browser in the front end and back end. This issue has been patched in versions 4.13.57, 5.3.42, and 5.6.5. A workaround for this issue involves not using the affected templates or patch them manually.
| Vendor | Product | Version |
|---|---|---|
| contao | contao | 4.0.0 ≤ 𝑥 < 4.13.57 |
| contao | contao | 5.0.0 ≤ 𝑥 < 5.3.42 |
| contao | contao | 5.4.0 ≤ 𝑥 < 5.6.5 |
𝑥
= Vulnerable software versions
Common Weakness Enumeration
- CWE-87 - Improper Neutralization of Alternate XSS SyntaxThe software does not neutralize or incorrectly neutralizes user-controlled input for alternate script syntax.
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.