CVE-2025-29790
MEDIUMContao 4.0.0-4.13.53 and core-bundle 4.0.0-4.13.54 - Stored Cross-Site Scripting via SVG Upload
Title source: llmDescription
Contao is an Open Source CMS. Users can upload SVG files with malicious code, which is then executed in the back end and/or front end. This vulnerability is fixed in Contao 4.13.54, 5.3.30, or 5.5.6.
References (2)
Core 2
Core References
Patch, Third Party Advisory x_refsource_confirm
https://github.com/contao/contao/security/advisories/GHSA-vqqr-fgmh-f626
Vendor Advisory x_refsource_misc
https://contao.org/en/security-advisories/cross-site-scripting-through-svg-uploads
Scores
CVSS v3
5.4
EPSS
0.0020
EPSS Percentile
10.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (2)
contao/contao
4.0.0 - 4.13.53
contao/core-bundle
4.0.0 - 4.13.54Packagist
Published
Mar 18, 2025
Tracked Since
Feb 18, 2026