CVE-2025-65961

LOW

Contao <4.13.57-5.6.5 - Code Injection

Title source: llm
STIX 2.1

Description

Contao is an Open Source CMS. From version 4.0.0 to before 4.13.57, before 5.3.42, and before 5.6.5, it is possible to inject code into the template output that will be executed in the browser in the front end and back end. This issue has been patched in versions 4.13.57, 5.3.42, and 5.6.5. A workaround for this issue involves not using the affected templates or patch them manually.

References (2)

Core 2

Scores

CVSS v3 3.3
EPSS 0.0014
EPSS Percentile 3.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-79 CWE-87
Status published
Products (2)
contao/contao 4.0.0 - 4.13.57
contao/core-bundle 4.0.0 - 4.13.57Packagist
Published Nov 25, 2025
Tracked Since Feb 18, 2026