Home > Vulnerability Database > CVE-2025-65961

Mend.io Vulnerability Database

CVE-2025-65961

Good to know:

Date: November 25, 2025

Contao is an Open Source CMS. From version 4.0.0 to before 4.13.57, before 5.3.42, and before 5.6.5, it is possible to inject code into the template output that will be executed in the browser in the front end and back end. This issue has been patched in versions 4.13.57, 5.3.42, and 5.6.5. A workaround for this issue involves not using the affected templates or patch them manually.

Severity Score

3.3

Related Resources (5)

Url: https://github.com/contao/contao

Url: https://github.com/contao/contao/security/advisories/GHSA-68q5-78xp-cwwc

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-65961

Url: https://contao.org/en/security-advisories/cross-site-scripting-in-templates

Url: https://www.mend.io/vulnerability-database/CVE-2025-65961

Severity Score

3.3

Weakness Type (CWE)

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-79

Improper Neutralization of Alternate XSS Syntax

CWE-87

Top Fix

Upgrade Version

Upgrade to version contao/core-bundle - 4.13.57;contao/core-bundle - 5.3.42;contao/core-bundle - 5.6.5

Learn More

CVSS v3.1

Base Score:	3.3
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	HIGH
Privileges Required (PR):	HIGH
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	LOW
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2025-65961

Good to know:

Date: November 25, 2025

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?