Login Sign Up

CVE-2025-65960

6.6 MEDIUM
Remote Code Execution

📋 TL;DR

This vulnerability allows authenticated back-end users in Contao CMS to execute arbitrary PHP functions through template closures, potentially leading to remote code execution. It affects Contao versions 4.0.0 to 4.13.56, 5.0.0 to 5.3.41, and 5.4.0 to 5.6.4. Only users with back-end access and control over template closures can exploit this.

💻 Affected Systems

Products:
  • Contao CMS
Versions: 4.0.0 to 4.13.56, 5.0.0 to 5.3.41, 5.4.0 to 5.6.4
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Requires back-end user access and control over template closures. Not exploitable by anonymous users.

📦 What is this software?

Contao by Contao

View all CVEs affecting Contao →

Contao by Contao

View all CVEs affecting Contao →

Contao by Contao

View all CVEs affecting Contao →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An authenticated attacker gains full server control through arbitrary PHP function execution, leading to data theft, system compromise, or lateral movement.

🟠

Likely Case

Privileged back-end users escalate privileges or execute unauthorized code within the application context.

🟢

If Mitigated

With proper access controls and monitoring, exploitation is limited to authorized users who would be detected if abusing their privileges.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires authenticated back-end access and specific knowledge of template closure manipulation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.13.57, 5.3.42, 5.6.5

Vendor Advisory: https://contao.org/en/security-advisories/remote-code-execution-in-template-closures

Restart Required: No

Instructions:

1. Identify your Contao version. 2. Upgrade to 4.13.57, 5.3.42, or 5.6.5 depending on your major version. 3. Follow standard Contao update procedures via Composer or manual update.

🔧 Temporary Workarounds

Manual patch of Contao\Template::once() method

all

Manually apply the security fix to the vulnerable method as described in the advisory.

Refer to GitHub security advisory GHSA-98vj-mm79-v77r for specific code changes

🧯 If You Can't Patch

  • Restrict back-end user access to only trusted administrators
  • Implement strict monitoring of template modifications and PHP function calls

🔍 How to Verify

Check if Vulnerable:

Check Contao version via admin panel or composer.json. If version falls within affected ranges, system is vulnerable.

Check Version:

php vendor/bin/contao-console contao:version

Verify Fix Applied:

Confirm version is 4.13.57, 5.3.42, or 5.6.5 or higher. Test template closure functionality.

📡 Detection & Monitoring

Log Indicators:

  • Unusual PHP function calls from template files
  • Template modification by non-admin users
  • Unexpected system command execution

Network Indicators:

  • Unusual outbound connections from web server process

SIEM Query:

Search for 'Contao\Template::once' in application logs with suspicious parameters

📊 Metadata

CVE ID: CVE-2025-65960
CVSS v3 Score: 6.6 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-351
EPSS Score: 0.02% exploit probability (6th percentile)
Published: November 25, 2025
Last Updated: December 3, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-65960, you might also want to check these:

CVE-2025-30510 9.8

This vulnerability allows attackers to upload arbitrary files instead of legitimate plant images in ...

Same vulnerability type (CWE-351)
CVE-2023-2866 7.3

This vulnerability in Advantech WebAccess allows authenticated attackers to upload malicious .zip fi...

Same vulnerability type (CWE-351)
CVE-2025-47939 5.4

This vulnerability in TYPO3's file management module allows backend users to upload potentially harm...

Same vulnerability type (CWE-351)