CVE-2025-29790 Information

Description

Contao is an Open Source CMS. Users can upload SVG files with malicious code which is then executed in the back end and/or front end. This vulnerability is fixed in Contao 4.13.54 5.3.30 or 5.5.6.

Reference

https://contao.org/en/security-advisories/cross-site-scripting-through-svg-uploads https://github.com/contao/contao/security/advisories/GHSA-vqqr-fgmh-f626