Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:composer/contao/core-bundle@5.3.39
purl pkg:composer/contao/core-bundle@5.3.39
Next non-vulnerable version 5.3.42
Latest non-vulnerable version 5.6.5
Risk 3.1
Vulnerabilities affecting this package (2)
Vulnerability Summary Fixed by
VCID-r1h5-ag74-dbaw
Aliases:
CVE-2025-65961
GHSA-68q5-78xp-cwwc
Contao is vulnerable to cross-site scripting in templates It is possible to inject code into the template output that will be executed in the browser in the front end and back end.
5.3.42
Affected by 0 other vulnerabilities.
5.6.5
Affected by 0 other vulnerabilities.
VCID-wyd5-t8at-8bba
Aliases:
CVE-2025-65960
GHSA-98vj-mm79-v77r
Contao is vulnerable to remote code execution in template closures Backend users with precise control over the contents of template closures can execute arbitrary PHP functions that do not have required parameters.
5.3.42
Affected by 0 other vulnerabilities.
5.6.5
Affected by 0 other vulnerabilities.
Vulnerabilities fixed by this package (0)
Vulnerability Summary Aliases
This package is not known to fix vulnerabilities.

Date Actor Action Vulnerability Source VulnerableCode Version
2026-06-06T06:26:10.755841+00:00 GitLab Importer Affected by VCID-r1h5-ag74-dbaw https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/contao/core-bundle/CVE-2025-65961.yml 38.6.0
2026-06-06T06:25:06.021892+00:00 GitLab Importer Affected by VCID-wyd5-t8at-8bba https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/contao/core-bundle/CVE-2025-65960.yml 38.6.0