CVE-2025-65960: 
PHP vulnerability analysis and mitigation

Contao, an Open Source CMS, was found to contain a remote code execution vulnerability (CVE-2025-65960) affecting versions 4.0.0 to before 4.13.57, before 5.3.42, and before 5.6.5. The vulnerability allows back end users with precise control over template closures to execute arbitrary PHP functions that do not have required parameters (Contao Advisory, GitHub Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 6.6 (Medium) with the vector string CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H. The vulnerability is classified as CWE-351 (Insufficient Type Distinction), indicating that the product does not properly distinguish between different types of elements, leading to insecure behavior. The issue specifically involves the Contao\Template::once() method (GitHub Advisory).

The vulnerability allows authenticated back end users to execute arbitrary PHP functions that do not have required parameters, potentially leading to remote code execution. The CVSS scoring indicates high potential impact on confidentiality, integrity, and availability of the affected system (GitHub Advisory).

The vulnerability has been patched in Contao versions 4.13.57, 5.3.42, and 5.6.5. Users are advised to upgrade to these versions. As a workaround, administrators can manually patch the Contao\Template::once() method if immediate upgrading is not possible (Contao Advisory).