Cross-site scripting in templates

Date: 2025-11-25
CVE ID: CVE-2025-65961

It is possible to inject code into the template output that will be executed in the browser in the front end and back end.

Affected versions

Contao 4.0
Contao 4.1
Contao 4.2
Contao 4.3
Contao 4.4
Contao 4.5
Contao 4.6
Contao 4.7
Contao 4.8
Contao 4.9
Contao 4.10
Contao 4.11
Contao 4.12
Contao 4.13 up to 4.13.56
Contao 5.0
Contao 5.1
Contao 5.2
Contao 5.3 up to 5.3.41
Contao 5.4
Contao 5.5
Contao 5.6 up to 5.6.4

Suggested solution

Upgrade to Contao 4.13.57, 5.3.42 or 5.6.5.

Workaround

Do not use the affected templates or patch them manually.

More information

https://github.com/contao/contao/security/advisories/GHSA-68q5-78xp-cwwc