Insufficient Type Distinction in Contao - CVE-2025-65960
Published: May 5, 2026
Vulnerability identifier: #VU130148
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2025-65960
CWE-ID: CWE-351
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Contao
Affected software:
Contao
Contao
Detailed vulnerability description
The vulnerability allows a remote user to execute arbitrary PHP functions.
The vulnerability exists due to insufficient type distinction in template closures when processing attacker-controlled closure contents. A remote privileged user can control the contents of template closures to execute arbitrary PHP functions.
Only PHP functions that do not have required parameters can be executed.
How to mitigate CVE-2025-65960
Install security update from vendor's website.