CVE-2025-29790

EPSS 0.53%

Contao Vulnerable to Cross-Site Scripting (XSS) through SVG uploads

Published: 3/18/2025Modified: 4/17/2025

Description

### Impact Users can upload SVG files with malicious code, which is then executed in the back end and/or front end. ### Patches Update to Contao 4.13.54, 5.3.30 or 5.5.6. ### Workarounds Remove `svg,svgz` from the allowed upload file types in the system settings and from `contao.editable_files` in the `config.yaml`. ### References https://contao.org/en/security-advisories/cross-site-scripting-through-svg-uploads ### For more information If you have any questions or comments about this advisory, open an issue in [contao/contao](https://github.com/contao/contao/issues/new/choose).

Affected packages (1)

Packagist/contao/core-bundle>= 4.0.0, < 4.13.54

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

References (4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-29790
PATCHhttps://github.com/contao/contao
WEBhttps://contao.org/en/security-advisories/cross-site-scripting-through-svg-uploads
WEBhttps://github.com/contao/contao/security/advisories/GHSA-vqqr-fgmh-f626