CVE-2025-65961: 
PHP vulnerability analysis and mitigation

Contao, an Open Source CMS, was found to contain a cross-site scripting vulnerability (CVE-2025-65961) affecting versions 4.0.0 to before 4.13.57, before 5.3.42, and before 5.6.5. The vulnerability allows attackers to inject malicious code into template outputs that can be executed in both the front end and back end of the application (NVD, Contao Advisory).

The vulnerability is classified as CWE-87 (Improper Neutralization of Alternate XSS Syntax) and has received a CVSS v3.1 base score of 3.3 (Low) with the vector string CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N. This indicates that while the vulnerability is network-accessible, it requires high attack complexity and high privileges to exploit, with no user interaction needed (GitHub Advisory).

The vulnerability enables attackers to inject code that will be executed in the browser in both the front end and back end of the application, potentially compromising the security of the web application and its users (Miggo Database).

The vulnerability has been patched in Contao versions 4.13.57, 5.3.42, and 5.6.5. Users are advised to upgrade to these versions. For those unable to update immediately, a workaround involves either not using the affected templates or patching them manually (Contao Advisory).