CVE-2025-65960
CVE-2025-65960 is a medium-severity vulnerability in Contao with a CVSS 3.x base score of 6.6. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-351.
Key facts
- Severity: Medium (CVSS 3.x base score 6.6)
- EPSS exploit prediction: 0% (5th percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2025-199633
- Weakness: CWE-351
- Affected product: Contao
- Published:
- Last modified:
Description
Contao is an Open Source CMS. From version 4.0.0 to before 4.13.57, before 5.3.42, and before 5.6.5, back end users with precise control over the contents of template closures can execute arbitrary PHP functions that do not have required parameters. This issue has been patched in versions 4.13.57, 5.3.42, and 5.6.5. A workaround for this issue involves manually patching the Contao\Template::once() method.
Frequently asked questions
- What is CVE-2025-65960?
- Contao is an Open Source CMS. From version 4.0.0 to before 4.13.57, before 5.3.42, and before 5.6.5, back end users with precise control over the contents of template closures can execute arbitrary PHP functions that do not have required parameters. This issue has been patched in versions 4.13.57, 5.3.42, and 5.6.5. A workaround for this issue involves manually patching the Contao\Template::once() method.
- How severe is CVE-2025-65960?
- CVE-2025-65960 has a CVSS 3.x base score of 6.6, rated medium severity. It is exploitable over network with high attack complexity, requires high privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2025-65960 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (5th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2025-65960?
- CVE-2025-65960 affects Contao. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2025-65960?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- Does CVE-2025-65960 have an EU (EUVD) identifier?
- Yes. CVE-2025-65960 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2025-199633.
- When was CVE-2025-65960 published?
- CVE-2025-65960 was published on 2025-11-25 and last updated on 2026-06-17.
References
- https://contao.org/en/security-advisories/remote-code-execution-in-template-closures
- https://github.com/contao/contao/security/advisories/GHSA-98vj-mm79-v77r
Affected products (1)
- cpe:2.3:a:contao:contao:*:*:*:*:*:*:*:*
More vulnerabilities in Contao
- CVE-2022-26265 — Critical (CVSS 9.8): Contao Managed Edition v1.5.0 was discovered to contain a remote command execution (RCE) vulnerability via the…
- CVE-2019-11512 — Critical (CVSS 9.8): Contao 4.x allows SQL Injection. Fixed in Contao 4.4.39 and Contao 4.7.5.
- CVE-2012-4383 — High (CVSS 8.8): contao prior to 2.11.4 has a sql injection vulnerability
- CVE-2019-19745 — High (CVSS 8.8): Contao 4.0 through 4.8.5 allows PHP local file inclusion. A back end user with access to the form generator can upload…
- CVE-2024-45398 — High (CVSS 8.3): Contao is an Open Source CMS. In affected versions a back end user with access to the file manager can upload malicious…
- CVE-2024-28235 — High (CVSS 8.3): Contao is an open source content management system. Starting in version 4.9.0 and prior to versions 4.13.40 and 5.3.4,…
Other CWE-351 vulnerabilities
- CVE-2025-30510 — Critical (CVSS 9.8): An attacker can upload an arbitrary file instead of a plant image.
- CVE-2025-54413 — High (CVSS 8.7): skops is a Python library which helps users share and ship their scikit-learn based models. Versions 0.11.0 and below…
- CVE-2025-54412 — High (CVSS 8.7): skops is a Python library which helps users share and ship their scikit-learn based models. Versions 0.11.0 and below…
- CVE-2024-4769 — Medium (CVSS 5.9): When importing resources using Web Workers, error messages would distinguish the difference between…
- CVE-2026-41341 — Medium (CVSS 5.4): OpenClaw before 2026.3.31 contains a logic error in Discord component interaction routing that misclassifies group…
- CVE-2025-47939 — Medium (CVSS 5.4): TYPO3 is an open source, PHP based web content management system. By design, the file management module in TYPO3’s…