CVE-2025-65960
MEDIUMDescription
Contao is an Open Source CMS. From version 4.0.0 to before 4.13.57, before 5.3.42, and before 5.6.5, back end users with precise control over the contents of template closures can execute arbitrary PHP functions that do not have required parameters. This issue has been patched in versions 4.13.57, 5.3.42, and 5.6.5. A workaround for this issue involves manually patching the Contao\Template::once() method.
Is your site exposed to CVE-2025-65960?
Run a free security scan — no signup, results in seconds.
CVSS v3.1 Score
Weakness Type (CWE)
Affected Products
| Vendor | Product |
|---|---|
| contao | contao |
| contao | contao |
| contao | contao |
References
Frequently Asked Questions
What is CVE-2025-65960? +
How severe is CVE-2025-65960? +
What products are affected by CVE-2025-65960? +
How do I check if I'm vulnerable to CVE-2025-65960? +
Related Vulnerabilities
skops is a Python library which helps users share and ship their scikit-learn based models. Versions 0.11.0 and below contain …
skops is a Python library which helps users share and ship their scikit-learn based models. Versions 0.11.0 and below contain …
Users were able to upload files with arbitrary MIME types to forms using FileUpload or ImageUpload elements with allowedMimeTypes configured. …
An attacker can upload an arbitrary file instead of a plant image.
HCL BigFix RunBookAI is affected by a Unvalidated Command Input / Potential Command Smuggling vulnerability. A flaw in a component's …
When importing resources using Web Workers, error messages would distinguish the difference between `application/javascript` responses and non-script responses. This could …