← Back

CVE-2025-65960

nvd nist
Published: Nov 25, 2025Modified: Dec 3, 2025

JSON object

Loading...
6.6
Vector
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
Exploitability: 0.7 / Impact: 5.9
Source: security-advisories@github.com (Secondary)

Description

Contao is an Open Source CMS. From version 4.0.0 to before 4.13.57, before 5.3.42, and before 5.6.5, back end users with precise control over the contents of template closures can execute arbitrary PHP functions that do not have required parameters. This issue has been patched in versions 4.13.57, 5.3.42, and 5.6.5. A workaround for this issue involves manually patching the Contao\Template::once() method.

Affected (3)

Products: Contao: Contao
Contao
1 product
Contao
Configuration A
3 vulnerable
Vulnerable SoftwareAffected Versions
Contao
Contao
From 4.0.0 to 4.13.57
Contao
From 5.0.0 to 5.3.42
Contao
From 5.4.0 to 5.6.5

Related CWEs

CWE-351
Insufficient Type Distinction
The product does not properly distinguish between different types of elements in a way that leads to insecure behavior.

References (2)

Source: security-advisories@github.com
Vendor Advisory
Source: security-advisories@github.com
Vendor Advisory

Timeline

No history available yet.