Home > Vulnerability Database > CVE-2025-65960

Mend.io Vulnerability Database

CVE-2025-65960

Good to know:

Date: November 25, 2025

Contao is an Open Source CMS. From version 4.0.0 to before 4.13.57, before 5.3.42, and before 5.6.5, back end users with precise control over the contents of template closures can execute arbitrary PHP functions that do not have required parameters. This issue has been patched in versions 4.13.57, 5.3.42, and 5.6.5. A workaround for this issue involves manually patching the Contao\Template::once() method.

Severity Score

6.6

Related Resources (8)

Url: https://contao.org/en/security-advisories/remote-code-execution-in-template-closures

Url: https://github.com/contao/contao

Url: https://github.com/contao/contao/security/advisories/GHSA-98vj-mm79-v77r

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-65960

Url: https://github.com/contao/contao/commit/577d7fdd5b1ca84f65f034ff556865422f0a3bd1

Url: https://github.com/contao/contao/commit/ebf84c90e5679a67060f396b924ce4a3c3f206b3

Url: https://github.com/contao/contao/commit/676f0855d39007ac9a0dbe7ae6a7414cba2312a5

Url: https://www.mend.io/vulnerability-database/CVE-2025-65960

Severity Score

6.6

Weakness Type (CWE)

Insufficient Type Distinction

CWE-351

Top Fix

Upgrade Version

Upgrade to version contao/core-bundle - 4.13.57;contao/core-bundle - 5.3.42;contao/core-bundle - 5.6.5

Learn More

CVSS v3.1

Base Score:	6.6
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	HIGH
Privileges Required (PR):	HIGH
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2025-65960

Good to know:

Date: November 25, 2025

Severity Score

Related Resources (8)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?