Contao
Moderate fix4 remedies
cpe:2.3:a:contao:contao:*:*:*:*:*:*:*
Moderate fix4 remedies
- 4.0.0
- 4.1
- 4.2
- 4.3
- 4.4
- 4.5
- 4.6
- 4.7
- 4.8
- 4.9
- 4.10
- 4.11
- 4.12
- 4.13
- 5.0
- 5.1
- 5.2
- 5.3
- 5.4
- 5.5
- 5.6
Contao Remote Code Execution Vulnerability in Template Closures
Vulnerability
Patched
A remote code execution vulnerability has been identified in Contao versions 4.0.0 prior to 4.13.57, 5.3.42 prior to 5.6.5, and 5.6.4. Back end users with specific control over template closure contents can execute arbitrary PHP functions that lack required parameters. This vulnerability has been patched in Contao versions 4.13.57, 5.3.42, and 5.6.5.
Impact
Exploitation of this vulnerability allows for arbitrary PHP code execution on the server.
Remediation
Users can upgrade to Contao versions 4.13.57, 5.3.42, or 5.6.5 to address this vulnerability. Alternatively, the issue can be temporarily mitigated by manually patching the 'Contao\Template::once()' method.
Added: Nov 25, 2025, 7:18 PM
Updated: Nov 25, 2025, 10:32 PM
Vulnerability Rating
Custom Algorithm
spread
5.2impact
10.0exploitability
5.0remediation
7.7relevance
1.2threat
0.0urgency
2.9incentive
1.7Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.