CVE-2025-29790: 
PHP vulnerability analysis and mitigation

CVE-2025-29790 affects Contao, an Open Source CMS. The vulnerability was discovered and disclosed on March 18, 2025, allowing users to upload SVG files containing malicious code that can be executed in both the back end and front end of the system. The vulnerability impacts multiple versions of Contao, including versions 4.x (up to 4.13.53) and 5.x (up to 5.3.29 and 5.5.5) (Contao Advisory, GitHub Advisory).

The vulnerability is classified as a Cross-Site Scripting (XSS) issue, identified as CWE-79 (Improper Neutralization of Input During Web Page Generation). According to the CVSS v4.0 scoring system, it received a moderate severity score of 4.8 with the vector string: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N. The vulnerability requires low attack complexity and can be exploited remotely, though it requires low privileges and active user interaction (GitHub Advisory).

When successfully exploited, the vulnerability allows attackers to execute malicious code through uploaded SVG files in both the backend and frontend environments of the Contao CMS. The CVSS metrics indicate low subsequent system impact on both confidentiality and integrity, with no direct impact on availability (GitHub Advisory).

The vulnerability has been patched in Contao versions 4.13.54, 5.3.30, and 5.5.6. For users unable to upgrade immediately, a workaround is available by removing svg,svgz from the allowed upload file types in the system settings and from contao.editable_files in the config.yaml (Contao Advisory).