CVE-2025-29790

MEDIUM

Contao 4.0.0-4.13.53 and core-bundle 4.0.0-4.13.54 - Stored Cross-Site Scripting via SVG Upload

Title source: llm
STIX 2.1

Description

Contao is an Open Source CMS. Users can upload SVG files with malicious code, which is then executed in the back end and/or front end. This vulnerability is fixed in Contao 4.13.54, 5.3.30, or 5.5.6.

References (2)

Core 2

Scores

CVSS v3 5.4
EPSS 0.0020
EPSS Percentile 10.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (2)
contao/contao 4.0.0 - 4.13.53
contao/core-bundle 4.0.0 - 4.13.54Packagist
Published Mar 18, 2025
Tracked Since Feb 18, 2026