CVE-2025-65960— Contao 安全漏洞

Contao is vulnerable to remote code execution in template closures

Contao is an Open Source CMS. From version 4.0.0 to before 4.13.57, before 5.3.42, and before 5.6.5, back end users with precise control over the contents of template closures can execute arbitrary PHP functions that do not have required parameters. This issue has been patched in versions 4.13.57, 5.3.42, and 5.6.5. A workaround for this issue involves manually patching the Contao\Template::once() method.

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

不充分的类型区分

Contao 安全漏洞

Contao是Contao开源的一套采用PHP开发的开源内容管理系统（CMS）。该系统支持搜索引擎、权限管理和CSS框架等。 Contao 4.0.0版本至4.13.57之前版本、5.3.42之前版本和5.6.5之前版本存在安全漏洞，该漏洞源于模板闭包中可执行任意PHP函数，可能导致代码执行。

N/A

N/A