GHSA-68q5-78xp-cwwc

Source

https://github.com/advisories/GHSA-68q5-78xp-cwwc

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/11/GHSA-68q5-78xp-cwwc/GHSA-68q5-78xp-cwwc.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-68q5-78xp-cwwc

Aliases

CVE-2025-65961

Published

2025-11-25T20:48:13Z

Modified

2025-11-27T20:49:17.069528Z

Severity

3.3 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N CVSS Calculator

Summary

Contao is vulnerable to cross-site scripting in templates

Details

Impact

It is possible to inject code into the template output that will be executed in the browser in the front end and back end.

Patches

Update to Contao 4.13.57, 5.3.42 or 5.6.5.

Workarounds

Do not use the affected templates or patch them manually.

Refsources

https://contao.org/en/security-advisories/cross-site-scripting-in-templates

Database specific

{
    "nvd_published_at": "2025-11-25T19:15:51Z",
    "github_reviewed_at": "2025-11-25T20:48:13Z",
    "severity": "LOW",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-87"
    ]
}

References

Affected packages

Packagist / contao/core-bundle

Package

Name: contao/core-bundle
Purl: pkg:composer/contao/core-bundle

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.0.0

Fixed

4.13.57

Affected versions

4.*

4.0.0

4.0.1

4.0.2

4.0.3

4.0.4

4.1.0-beta1

4.1.0-RC1

4.1.0

4.1.1

4.1.2

4.1.3

4.2.0-beta1

4.2.0-RC1

4.2.0

4.2.1

4.2.2

4.2.3

4.2.4

4.2.5

4.3.0-RC1

4.3.0

4.3.1

4.3.2

4.3.3

4.3.4

4.3.5

4.3.6

4.3.7

4.3.8

4.3.9

4.3.10

4.3.11

4.4.0-beta1

4.4.0-RC1

4.4.0-RC2

4.4.0

4.4.1

4.4.2

4.4.3

4.4.4

4.4.5

4.4.6

4.4.7

4.4.8

4.4.9

4.4.10

4.4.11

4.4.12

4.4.13

4.4.14

4.4.15

4.4.16

4.4.17

4.4.18

4.4.19

4.4.20

4.4.21

4.4.22

4.4.23

4.4.24

4.4.25

4.4.26

4.4.27

4.4.28

4.4.29

4.4.30

4.4.31

4.4.32

4.4.33

4.4.34

4.4.35

4.4.36

4.4.37

4.4.38

4.4.39

4.4.40

4.4.41

4.4.42

4.4.43

4.4.44

4.4.45

4.4.46

4.4.47

4.4.48

4.4.49

4.4.50

4.4.51

4.4.52

4.4.53

4.4.54

4.4.55

4.4.56

4.4.57

4.5.0-beta1

4.5.0-beta2

4.5.0-beta3

4.5.0-RC1

4.5.0-RC2

4.5.0

4.5.1

4.5.2

4.5.3

4.5.4

4.5.5

4.5.6

4.5.7

4.5.8

4.5.9

4.5.10

4.5.11

4.5.12

4.5.13

4.5.14

4.6.0-RC1

4.6.0-RC2

4.6.0-RC3

4.6.0

4.6.1

4.6.2

4.6.3

4.6.4

4.6.5

4.6.6

4.6.7

4.6.8

4.6.9

4.6.10

4.6.11

4.6.12

4.6.13

4.6.14

4.7.0-RC1

4.7.0-RC2

4.7.0-RC3

4.7.0-RC4

4.7.0

4.7.1

4.7.2

4.7.3

4.7.4

4.7.5

4.7.6

4.7.7

4.8.0-RC1

4.8.0-RC2

4.8.0

4.8.1

4.8.2

4.8.3

4.8.4

4.8.5

4.8.6

4.8.7

4.8.8

4.9.0-RC1

4.9.0-RC2

4.9.0

4.9.1

4.9.2

4.9.3

4.9.4

4.9.5

4.9.6

4.9.7

4.9.8

4.9.9

4.9.10

4.9.11

4.9.12

4.9.13

4.9.14

4.9.15

4.9.16

4.9.17

4.9.18

4.9.19

4.9.20

4.9.21

4.9.22

4.9.23

4.9.24

4.9.25

4.9.26

4.9.27

4.9.28

4.9.29

4.9.30

4.9.31

4.9.32

4.9.33

4.9.34

4.9.35

4.9.36

4.9.37

4.9.38

4.9.39

4.9.40

4.9.41

4.9.42

4.10.0-RC1

4.10.0-RC2

4.10.0-RC3

4.10.0-RC4

4.10.0

4.10.1

4.10.2

4.10.3

4.10.4

4.10.5

4.10.6

4.10.7

4.11.0-RC1

4.11.0-RC2

4.11.0

4.11.1

4.11.2

4.11.3

4.11.4

4.11.5

4.11.6

4.11.7

4.11.8

4.11.9

4.12.0-RC1

4.12.0-RC2

4.12.0-RC3

4.12.0

4.12.1

4.12.2

4.12.3

4.12.4

4.12.5

4.12.6

4.12.7

4.13.0-RC1

4.13.0-RC2

4.13.0-RC3

4.13.0

4.13.1

4.13.2

4.13.3

4.13.4

4.13.5

4.13.6

4.13.7

4.13.8

4.13.9

4.13.10

4.13.11

4.13.12

4.13.13

4.13.14

4.13.15

4.13.16

4.13.17

4.13.18

4.13.19

4.13.20

4.13.21

4.13.22

4.13.23

4.13.24

4.13.25

4.13.26

4.13.27

4.13.28

4.13.29

4.13.30

4.13.31

4.13.32

4.13.33

4.13.34

4.13.35

4.13.36

4.13.37

4.13.38

4.13.39

4.13.40

4.13.41

4.13.42

4.13.43

4.13.44

4.13.45

4.13.46

4.13.47

4.13.48

4.13.49

4.13.50

4.13.51

4.13.52

4.13.53

4.13.54

4.13.55

4.13.56

Packagist / contao/core-bundle

Package

Name: contao/core-bundle
Purl: pkg:composer/contao/core-bundle

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.0.0-RC1

Fixed

5.3.42

Affected versions

5.*

5.0.0-RC1

5.0.0-RC2

5.0.0-RC3

5.0.0-RC4

5.0.0

5.0.1

5.0.2

5.0.3

5.0.4

5.0.5

5.0.6

5.0.7

5.0.8

5.0.9

5.0.10

5.1.0-RC1

5.1.0-RC2

5.1.0-RC3

5.1.0

5.1.1

5.1.2

5.1.3

5.1.4

5.1.5

5.1.6

5.1.7

5.1.8

5.1.9

5.1.10

5.1.11

5.2.0-RC1

5.2.0-RC2

5.2.0-RC3

5.2.0-RC4

5.2.0-RC5

5.2.0-RC6

5.2.0

5.2.1

5.2.2

5.2.3

5.2.4

5.2.5

5.2.6

5.2.7

5.2.8

5.2.9

5.2.10

5.3.0-RC1

5.3.0-RC2

5.3.0-RC3

5.3.0-RC4

5.3.0

5.3.1

5.3.2

5.3.3

5.3.4

5.3.5

5.3.6

5.3.7

5.3.8

5.3.9

5.3.10

5.3.11

5.3.12

5.3.13

5.3.14

5.3.15

5.3.16

5.3.17

5.3.18

5.3.19

5.3.20

5.3.21

5.3.22

5.3.23

5.3.24

5.3.25

5.3.26

5.3.27

5.3.28

5.3.29

5.3.30

5.3.31

5.3.32

5.3.33

5.3.34

5.3.35

5.3.36

5.3.37

5.3.38

5.3.39

5.3.40

5.3.41

Packagist / contao/core-bundle

Package

Name: contao/core-bundle
Purl: pkg:composer/contao/core-bundle

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.4.0-RC1

Fixed

5.6.5

Affected versions

5.*

5.4.0-RC1

5.4.0-RC2

5.4.0-RC3

5.4.0-RC4

5.4.0

5.4.1

5.4.2

5.4.3

5.4.4

5.4.5

5.4.6

5.4.7

5.4.8

5.4.9

5.4.10

5.4.11

5.4.12

5.4.13

5.4.14

5.5.0-RC1

5.5.0-RC2

5.5.0-RC3

5.5.0-RC4

5.5.0

5.5.1

5.5.2

5.5.3

5.5.4

5.5.5

5.5.6

5.5.7

5.5.8

5.5.9

5.5.10

5.5.11

5.5.12

5.5.13

5.5.14

5.5.15

5.5.16

5.6.0-RC1

5.6.0-RC2

5.6.0-RC3

5.6.0

5.6.1

5.6.2

5.6.3

5.6.4