Remote code execution in template closures

Date: 2025-11-25
CVE ID: CVE-2025-65960

Back end users with precise control over the contents of template closures can execute arbitrary PHP functions that do not have required parameters.

Affected versions

Contao 4.0
Contao 4.1
Contao 4.2
Contao 4.3
Contao 4.4
Contao 4.5
Contao 4.6
Contao 4.7
Contao 4.8
Contao 4.9
Contao 4.10
Contao 4.11
Contao 4.12
Contao 4.13 up to 4.13.56
Contao 5.0
Contao 5.1
Contao 5.2
Contao 5.3 up to 5.3.41
Contao 5.4
Contao 5.5
Contao 5.6 up to 5.6.4

Suggested solution

Upgrade to Contao 4.13.57, 5.3.42 or 5.6.5.

Workaround

Manually patch the Contao\Template::once() method.

More information

https://github.com/contao/contao/security/advisories/GHSA-98vj-mm79-v77r