CVE-2025-65961

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2025-65961
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-65961.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-65961
Aliases
Published
2025-11-25T19:06:37.395Z
Modified
2025-11-27T13:19:56.432115Z
Severity
  • 3.3 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N CVSS Calculator
Summary
Contao is vulnerable to cross-site scripting in templates
Details

Contao is an Open Source CMS. From version 4.0.0 to before 4.13.57, before 5.3.42, and before 5.6.5, it is possible to inject code into the template output that will be executed in the browser in the front end and back end. This issue has been patched in versions 4.13.57, 5.3.42, and 5.6.5. A workaround for this issue involves not using the affected templates or patch them manually.

Database specific 
{
    "cwe_ids": [
        "CWE-87"
    ]
}
References

Affected packages

Git / github.com/contao/contao

Affected ranges

Type
GIT
Repo
https://github.com/contao/contao
Events
Introduced
84b2fe637d5ead531f117f26b48d1b9de8df4074
Fixed
4dc65d395b4c62e0b1f6dbd86f4b5948610f64a5
Database specific 
{
    "versions": [
        {
            "introduced": "4.0.0"
        },
        {
            "fixed": "4.13.57"
        }
    ]
}
Type
GIT
Repo
https://github.com/contao/contao
Events
Introduced
d42d220274c313eff0f0b25d1e1725b8aae0353a
Fixed
85d5af6d350d9a72822fc3793c7ab692bb8191e6
Database specific 
{
    "versions": [
        {
            "introduced": "5.0.0-RC1"
        },
        {
            "fixed": "5.3.42"
        }
    ]
}
Type
GIT
Repo
https://github.com/contao/contao
Events
Introduced
c5e3841e5107ab36ae2bf7795fb8d51d3d30f88b
Fixed
760f3a8e29ff7b26d3f8c06617eb51dd5559ceac
Database specific 
{
    "versions": [
        {
            "introduced": "5.4.0-RC1"
        },
        {
            "fixed": "5.6.5"
        }
    ]
}

Affected versions

4.*

4.13.10
4.13.11
4.13.12
4.13.13
4.13.14
4.13.15
4.13.16
4.13.17
4.13.18
4.13.19
4.13.20
4.13.21
4.13.22
4.13.23
4.13.24
4.13.25
4.13.26
4.13.27
4.13.28
4.13.29
4.13.30
4.13.31
4.13.32
4.13.33
4.13.34
4.13.35
4.13.36
4.13.37
4.13.38
4.13.39
4.13.40
4.13.41
4.13.42
4.13.43
4.13.44
4.13.45
4.13.46
4.13.47
4.13.48
4.13.49
4.13.7
4.13.8
4.13.9
4.9.32
4.9.33
4.9.34
4.9.35
4.9.36
4.9.37
4.9.38
4.9.39
4.9.40
4.9.41

5.*

5.0.0
5.0.0-RC1
5.0.0-RC2
5.0.0-RC3
5.0.0-RC4
5.0.1
5.0.10
5.0.2
5.0.3
5.0.4
5.0.5
5.0.6
5.0.7
5.0.8
5.0.9
5.1.0
5.1.0-RC1
5.1.0-RC2
5.1.0-RC3
5.1.1
5.1.10
5.1.11
5.1.2
5.1.3
5.1.4
5.1.5
5.1.6
5.1.7
5.1.8
5.1.9
5.2.0
5.2.0-RC1
5.2.0-RC2
5.2.0-RC3
5.2.0-RC4
5.2.0-RC5
5.2.0-RC6
5.2.1
5.2.10
5.2.2
5.2.3
5.2.4
5.2.5
5.2.6
5.2.7
5.2.8
5.2.9
5.3.0
5.3.0-RC1
5.3.0-RC2
5.3.0-RC3
5.3.0-RC4
5.3.1
5.3.10
5.3.11
5.3.12
5.3.13
5.3.14
5.3.15
5.3.16
5.3.17
5.3.18
5.3.19
5.3.2
5.3.20
5.3.21
5.3.22
5.3.23
5.3.24
5.3.25
5.3.26
5.3.27
5.3.28
5.3.29
5.3.3
5.3.30
5.3.31
5.3.32
5.3.33
5.3.34
5.3.35
5.3.36
5.3.37
5.3.38
5.3.39
5.3.4
5.3.40
5.3.41
5.3.5
5.3.6
5.3.7
5.3.8
5.3.9
5.4.0
5.4.0-RC1
5.4.0-RC2
5.4.0-RC3
5.4.0-RC4
5.4.1
5.4.10
5.4.11
5.4.12
5.4.13
5.4.14
5.4.2
5.4.3
5.4.4
5.4.5
5.4.6
5.4.7
5.4.8
5.4.9
5.5.0
5.5.0-RC1
5.5.0-RC2
5.5.0-RC3
5.5.0-RC4
5.5.1
5.5.10
5.5.11
5.5.12
5.5.13
5.5.14
5.5.15
5.5.2
5.5.3
5.5.4
5.5.5
5.5.6
5.5.7
5.5.8
5.5.9
5.6.0
5.6.0-RC1
5.6.0-RC2
5.6.0-RC3
5.6.1
5.6.2
5.6.3
5.6.4