CVE-2025-65961: Contao is vulnerable to cross-site scripting in templates

November 25, 2025 (updated November 27, 2025)

It is possible to inject code into the template output that will be executed in the browser in the front end and back end.

References

contao.org/en/security-advisories/cross-site-scripting-in-templates
github.com/advisories/GHSA-68q5-78xp-cwwc
github.com/contao/contao
github.com/contao/contao/security/advisories/GHSA-68q5-78xp-cwwc
nvd.nist.gov/vuln/detail/CVE-2025-65961

Code Behaviors & Features

Detect and mitigate CVE-2025-65961 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →