CVE-2025-65960
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-11-25

Last updated on: 2025-12-03

Assigner: GitHub, Inc.

Description
Contao is an Open Source CMS. From version 4.0.0 to before 4.13.57, before 5.3.42, and before 5.6.5, back end users with precise control over the contents of template closures can execute arbitrary PHP functions that do not have required parameters. This issue has been patched in versions 4.13.57, 5.3.42, and 5.6.5. A workaround for this issue involves manually patching the Contao\Template::once() method.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-11-25
Last Modified
2025-12-03
Generated
2026-06-16
AI Q&A
2025-11-25
EPSS Evaluated
2026-06-15
NVD
CVE-2025-65960
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
contao contao From 4.0.0 (inc) to 4.13.57 (exc)
contao contao From 5.0.0 (inc) to 5.3.42 (exc)
contao contao From 5.4.0 (inc) to 5.6.5 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-351 The product does not properly distinguish between different types of elements in a way that leads to insecure behavior.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in Contao CMS allows back end users who have precise control over template closures to execute arbitrary PHP functions that do not require parameters. This means they can run potentially harmful PHP code through the template system, which could lead to unauthorized actions or system compromise. The issue affects versions from 4.0.0 up to before 4.13.57, before 5.3.42, and before 5.6.5, and has been patched in those later versions.

Impact Analysis

The vulnerability can lead to the execution of arbitrary PHP code by back end users with certain privileges, potentially resulting in full compromise of the system, including unauthorized access, data modification, or denial of service. The CVSS score of 6.6 indicates a medium to high severity with impacts on confidentiality, integrity, and availability.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Contao to version 4.13.57, 5.3.42, 5.6.5 or later. Alternatively, you can apply a manual patch to the Contao\Template::once() method as a workaround until you can upgrade.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-65960. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart