CVE-2025-29790
Contao Vulnerable to Cross-Site Scripting (XSS) through SVG uploads
Description
### Impact Users can upload SVG files with malicious code, which is then executed in the back end and/or front end. ### Patches Update to Contao 4.13.54, 5.3.30 or 5.5.6. ### Workarounds Remove `svg,svgz` from the allowed upload file types in the system settings and from `contao.editable_files` in the `config.yaml`. ### References https://contao.org/en/security-advisories/cross-site-scripting-through-svg-uploads ### For more information If you have any questions or comments about this advisory, open an issue in [contao/contao](https://github.com/contao/contao/issues/new/choose).
How to fix CVE-2025-29790
To remediate CVE-2025-29790, upgrade the affected package to a fixed version below.
- —upgrade to 4.13.54 or later
Is CVE-2025-29790 being exploited?
Low — EPSS is 0.5%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- >= 4.0.0, < 4.13.54
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N |