Cross-site scripting through SVG uploads

Date: 2025-03-18
CVE ID: CVE-2025-29790

Users can upload SVG files with malicious code, which is then executed in the back end and/or front end.

Affected versions

Contao 4.0
Contao 4.1
Contao 4.2
Contao 4.3
Contao 4.4
Contao 4.5
Contao 4.6
Contao 4.7
Contao 4.8
Contao 4.9
Contao 4.10
Contao 4.11
Contao 4.12
Contao 4.13 up to 4.13.53
Contao 5.0
Contao 5.1
Contao 5.2
Contao 5.3 up to 5.3.29
Contao 5.4
Contao 5.5 up to 5.5.5

Suggested solution

Upgrade to Contao 4.13.54, 5.3.30 or 5.5.6.

Workaround

Remove svg,svgz from the allowed upload file types in the system settings and from contao.editable_files in the config.yaml.

More information

https://github.com/contao/contao/security/advisories/GHSA-vqqr-fgmh-f626