Contao is vulnerable to cross-site scripting in templates
Description
Contao is an Open Source CMS. From version 4.0.0 to before 4.13.57, before 5.3.42, and before 5.6.5, it is possible to inject code into the template output that will be executed in the browser in the front end and back end. This issue has been patched in versions 4.13.57, 5.3.42, and 5.6.5. A workaround for this issue involves not using the affected templates or patch them manually.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Contao CMS (4.0.0-4.13.56, 5.0-5.3.41, 5.4-5.6.4) allows template injection leading to persistent cross-site scripting in frontend and backend.
Vulnerability
CVE-2025-65961 is a cross-site scripting (XSS) vulnerability in the Contao Open Source CMS that allows an attacker to inject arbitrary JavaScript code into template output. The issue affects all versions from 4.0.0 up to, but not including, 4.13.57, 5.3.42, and 5.6.5 [1] [3] [4]. The root cause lies in insufficient sanitization of user-controllable data within template rendering, enabling the injection of malicious script that is then executed in the browser context of legitimate users. This is a classic template injection vulnerability that compromises the integrity of the page output.
Exploitation
The attacker does not require authentication for exploitation in some scenarios, as the injection point may be accessible to unauthenticated users on the frontend. The attack vector is remote, and the complexity is low, requiring the attacker to craft a malicious input that is processed by an affected template [3]. User interaction is not necessarily required; if the attacker can inject the payload into a stored template or a publicly accessible page, any user viewing that page becomes a victim. The scope of the attack can change, as the injected script can access and modify resources beyond the vulnerable component, potentially affecting the entire CMS instance [3].
Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript in the browser of any user viewing the compromised page, both in the frontend and the backend [1] [4]. This can lead to session hijacking, credential theft, defacement of the site, or further attacks against administrators and visitors. The impacts on confidentiality, integrity, and availability are rated high, as the attacker can read sensitive data, modify page content, and disrupt normal operations [3].
Mitigation
The vulnerability has been patched in Contao versions 4.13.57, 5.3.42, and 5.6.5 [1] [4]. Users should upgrade immediately to one of these versions. The official workaround is to avoid using the affected templates entirely or to apply manual patches to the template files [4]. There is no indication that this vulnerability is currently listed in the Known Exploited Vulnerabilities catalog, but given its severity and ease of exploitation, prompt remediation is strongly advised.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
contao/core-bundlePackagist | >= 4.0.0, < 4.13.57 | 4.13.57 |
contao/core-bundlePackagist | >= 5.0.0-RC1, < 5.3.42 | 5.3.42 |
contao/core-bundlePackagist | >= 5.4.0-RC1, < 5.6.5 | 5.6.5 |
Affected products
2- Range: <4.13.57 || <5.3.42 || <5.6.5
- contao/contaov5Range: >= 4.0.0, < 4.13.57
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-68q5-78xp-cwwcghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-65961ghsaADVISORY
- contao.org/en/security-advisories/cross-site-scripting-in-templatesghsax_refsource_MISCWEB
- github.com/contao/contao/security/advisories/GHSA-68q5-78xp-cwwcghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.