Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-37bz-3y5f-k3ca
Vulnerability ID VCID-37bz-3y5f-k3ca
Aliases CVE-2025-65961
GHSA-68q5-78xp-cwwc
Summary Contao is an Open Source CMS. From version 4.0.0 to before 4.13.57, before 5.3.42, and before 5.6.5, it is possible to inject code into the template output that will be executed in the browser in the front end and back end. This issue has been patched in versions 4.13.57, 5.3.42, and 5.6.5. A workaround for this issue involves not using the affected templates or patch them manually.
Status Published
Exploitability 0.5
Weighted Severity 3.0
Risk 1.5
Affected and Fixed Packages Package Details
Weaknesses (4)
CWE-87 Improper Neutralization of Alternate XSS Syntax
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 0.0002 https://api.first.org/data/v1/epss?cve=CVE-2025-65961
cvssv3.1 3.3 https://contao.org/en/security-advisories/cross-site-scripting-in-templates
generic_textual LOW https://contao.org/en/security-advisories/cross-site-scripting-in-templates
ssvc Track https://contao.org/en/security-advisories/cross-site-scripting-in-templates
cvssv3.1_qr LOW https://github.com/advisories/GHSA-68q5-78xp-cwwc
cvssv3.1 3.3 https://github.com/contao/contao
generic_textual LOW https://github.com/contao/contao
cvssv3.1 3.3 https://github.com/contao/contao/security/advisories/GHSA-68q5-78xp-cwwc
cvssv3.1_qr LOW https://github.com/contao/contao/security/advisories/GHSA-68q5-78xp-cwwc
generic_textual LOW https://github.com/contao/contao/security/advisories/GHSA-68q5-78xp-cwwc
ssvc Track https://github.com/contao/contao/security/advisories/GHSA-68q5-78xp-cwwc
cvssv3.1 3.3 https://nvd.nist.gov/vuln/detail/CVE-2025-65961
generic_textual LOW https://nvd.nist.gov/vuln/detail/CVE-2025-65961
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2025-65961
https://github.com/contao/contao
cross-site-scripting-in-templates https://contao.org/en/security-advisories/cross-site-scripting-in-templates
CVE-2025-65961 https://nvd.nist.gov/vuln/detail/CVE-2025-65961
GHSA-68q5-78xp-cwwc https://github.com/advisories/GHSA-68q5-78xp-cwwc
GHSA-68q5-78xp-cwwc https://github.com/contao/contao/security/advisories/GHSA-68q5-78xp-cwwc
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N Found at https://contao.org/en/security-advisories/cross-site-scripting-in-templates
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-11-25T19:28:53Z/ Found at https://contao.org/en/security-advisories/cross-site-scripting-in-templates
Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N Found at https://github.com/contao/contao
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N Found at https://github.com/contao/contao/security/advisories/GHSA-68q5-78xp-cwwc
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-11-25T19:28:53Z/ Found at https://github.com/contao/contao/security/advisories/GHSA-68q5-78xp-cwwc
Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2025-65961
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.05734
EPSS Score 0.0002
Published At June 11, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-11T16:57:38.229053+00:00 Vulnrichment Import https://github.com/cisagov/vulnrichment/blob/develop/2025/65xxx/CVE-2025-65961.json 38.6.0