Main Vulnerability Database Vulnerabilities #VU130150

Improper Neutralization of Alternate XSS Syntax in Contao - CVE-2025-65961

Published: May 5, 2026

Vulnerability identifier: #VU130150

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2025-65961

CWE-ID: CWE-87

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Contao

Affected software:
Contao

Detailed vulnerability description

The vulnerability allows a remote user to execute script code in the browser in the front end and back end.

The vulnerability exists due to improper neutralization of alternate xss syntax in templates when rendering template output. A remote privileged user can inject code into the template output to execute script code in the browser in the front end and back end.

How to mitigate CVE-2025-65961

Install security update from vendor's website.

Sources

https://github.com/contao/contao/security/advisories/GHSA-68q5-78xp-cwwc
https://contao.org/en/security-advisories/cross-site-scripting-in-templates

Improper Neutralization of Alternate XSS Syntax in Contao - CVE-2025-65961

Detailed vulnerability description

How to mitigate CVE-2025-65961

Sources

Please verify you're human