Contao allows cross-site scripting through SVG uploads
Description
Contao is an Open Source CMS. Users can upload SVG files with malicious code, which is then executed in the back end and/or front end. This vulnerability is fixed in Contao 4.13.54, 5.3.30, or 5.5.6.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Contao CMS allows authenticated users to upload malicious SVG files, leading to stored XSS in the back end and front end.
Vulnerability
Overview
CVE-2025-29790 is a cross-site scripting (XSS) vulnerability in the Contao Open Source CMS. The application fails to sanitize SVG files uploaded by users, allowing attackers to embed arbitrary JavaScript or other malicious code within SVG markup. When the SVG is rendered in the back end or front end, the injected code executes in the context of the victim's browser [1][3].
Exploitation
Prerequisites
An attacker must have the ability to upload files to a Contao instance—typically an authenticated user with file upload permissions. No special network position is required; the attack is carried out through the standard file upload functionality. The malicious SVG is stored on the server and served to other users, including administrators, when they view the file in the CMS interface [3][4].
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the browsers of users who view the uploaded SVG. This can lead to session hijacking, defacement, theft of sensitive data, or further actions within the CMS as the victim user. The vulnerability affects both the administrative back end and the public front end [1][4].
Mitigation
The vulnerability is fixed in Contao versions 4.13.54, 5.3.30, and 5.5.6. As a workaround, administrators can remove svg and svgz from the allowed upload file types in the system settings and from the contao.editable_files configuration in config.yaml [3][4].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
contao/core-bundlePackagist | >= 4.0.0, < 4.13.54 | 4.13.54 |
contao/core-bundlePackagist | >= 5.3.0, < 5.3.30 | 5.3.30 |
contao/core-bundlePackagist | >= 5.4.0, < 5.5.6 | 5.5.6 |
Affected products
3- contao/contaov5Range: >= 4.0.0, < 4.13.54
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-vqqr-fgmh-f626ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-29790ghsaADVISORY
- contao.org/en/security-advisories/cross-site-scripting-through-svg-uploadsghsax_refsource_MISCWEB
- github.com/contao/contao/security/advisories/GHSA-vqqr-fgmh-f626ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.