CVE-2025-65960 | THREATINT

Description

Contao is an Open Source CMS. From version 4.0.0 to before 4.13.57, before 5.3.42, and before 5.6.5, back end users with precise control over the contents of template closures can execute arbitrary PHP functions that do not have required parameters. This issue has been patched in versions 4.13.57, 5.3.42, and 5.6.5. A workaround for this issue involves manually patching the Contao\Template::once() method.

PUBLISHED Reserved 2025-11-18 | Published 2025-11-25 | Updated 2025-11-25 | Assigner GitHub_M

MEDIUM: 6.6CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

Problem types

CWE-351: Insufficient Type Distinction

Product status

>= 4.0.0, < 4.13.57

affected

>= 5.0.0-RC1, < 5.3.42

affected

>= 5.4.0-RC1, < 5.6.5

affected

References

github.com/...contao/security/advisories/GHSA-98vj-mm79-v77r

contao.org/...ies/remote-code-execution-in-template-closures

cve.org (CVE-2025-65960)

nvd.nist.gov (CVE-2025-65960)

Download JSON