Already a customer?
Log in now
You would like to become a customer?
Test trakked now
This release fixes two security vulnerabilities (CVE-2025-65960 and CVE-2025-65961). An update is recommended accordingly.
In addition, the dev cache is now also deleted during updates, and the Swiper markup has been adjusted so that buttons are not displayed twice.
Security vulnerabilities closed:
- Remote code execution in template closures (CVE-2025-65960)
- Cross-site scripting in templates (CVE-2025-65961)
Changelog of the fixed issues in Contao 5.3.42:
- #9032 Also delete the dev cache in `contao-setup` (fritzmg)
- #8997 Fix `isHidden()` for `ContentProxy` (fritzmg)
- #9023 Fix a PHP8 issue in the module wizard (aschempp)
- #9024 Fix rendering member fields without label (aschempp)
- #9011 Only load disabled images in `AjaxRequest.toggleField` if they exist (zoglo)
- #8945 Use the original Swiper markup (leofeyer)
- #9015 Ignore web profiler requests in the search index and fix the back end request regex (fritzmg)
- #8991 Move the try/catch block only around the insert statement (bytehead)
- #8993 Fix a bug with HTML encoded styles in `HtmlAttributes` (ausi)
- #8996 Fix a typo for `addBefore` in `ModuleFaqReader` (fritzmg)
Vulnerability details
The full post is only visible for trakked customers
About Contao 5.3 LTS
The first stable version of Contao 5.3 has been released on February 16, 2024, replacing Contao 4.13 as the long term support version. As an LTS version, 5.3 will be provided with bug fixes until February 14, 2027 and security-related updates until February 14, 2028. Contao 5.7 has been the next LTS version of Contao and will be released in February 2026, ensuring a stress-free transition.
