Low severityNVD Advisory· Published Oct 2, 2024· Updated Aug 27, 2025

CVE-2024-45965

Description

Contao before 5.5.6 allows XSS via an SVG document. This affects (in contao/core-bundle in Composer) 4.x before 4.13.54, 5.0.x through 5.3.x before 5.3.30, and 5.4.x and 5.5..x before 5.5.6.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
contao/contaoPackagist	<= 5.4.1	—

Affected products

ghsa-coords
pkg:composer/contao/contao
Range: <= 5.4.1
Contao/Contao CMScpe-rescue
Range: 4.0.0

Patches

Vulnerability mechanics

References

github.com/advisories/GHSA-mrw8-5368-phm3ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2024-45965ghsaADVISORY
contao.org/en/security-advisories/cross-site-scripting-through-svg-uploadsghsaWEB
grimthereaperteam.medium.com/contao-5-4-1-malicious-file-upload-xss-in-svg-30edb8820ecbghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.065
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000