CVE-2025-10210
published 2025-09-10CVE-2025-10210: A weakness has been identified in yanyutao0402 ChanCMS up to 3.3.0. Impacted is the function Search of the file app/modules/api/service/Api.js. Executing…
PriorityP265high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
1.20%
64.2th percentile
A weakness has been identified in yanyutao0402 ChanCMS up to 3.3.0. Impacted is the function Search of the file app/modules/api/service/Api.js. Executing manipulation of the argument key can lead to sql injection. The attack can be launched remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| chancms | chancms | <= 3.3.0 | — |
| yanyutao0402 | chancms | — | — |
| yanyutao0402 | chancms | — | — |
| yanyutao0402 | chancms | — | — |
| yanyutao0402 | chancms | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →SQL injection payload uses XPATH error-based extraction via extractvalue(); detect by matching both a random string and 'XPATH syntax' in the HTTP response body. ↗
- →Attack targets the GET parameter 'key' in the /api/v1/search endpoint; monitor for single-quote characters and SQL keywords (e.g., extractvalue, concat) in that parameter. ↗
- →HTTP response status codes 200 or 500 combined with XPATH error text in the body indicate successful exploitation of the error-based SQLi. ↗
- ·The Nuclei template uses a dynamic random string (md5 of rand_base) as a canary value; static signatures must account for this variability and instead match the 'XPATH syntax' error string alongside any hex-encoded concat pattern. ↗
- ·The vulnerability affects ChanCMS versions up to and including 3.3.0 only; version checks should be applied before alerting to reduce false positives. ↗
- ·The exploit requires an authenticated (low-privilege) request (CVSS PR:L); unauthenticated probes to /api/v1/search will not reproduce the vulnerability. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.02.1LOWCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
ChanCMS <= 3.3.0 - SQL Injection
nuclei·CVSS 5.3
CVE-2025-10210 [MEDIUM] ChanCMS <= 3.3.0 - SQL Injection
ChanCMS <= 3.3.0 - SQL Injection
yanyutao0402 ChanCMS = 3.3.0 contains a SQL injection caused by manipulation of the \"key\" argument in app/modules/api/service/Api.js Search function, letting remote attackers execute arbitrary SQL commands, exploit requires crafted request.
Template:
id: CVE-2025-10210
info:
name: ChanCMS <= 3.3.0 - SQL Injection
author: Yu_Bao
severity: medium
description: |
yanyutao0402 ChanCMS = 3.3.0 contains a SQL injection caused by manipulation of the \"key\" argument in app/modules/api/service/Api.js Search function, letting remote attackers execute arbitrary SQL commands, exploit requires crafted request.
impact: |
Remote attackers can execute arbitrary SQL commands, potentially leading to data theft or database compromise.
remediation: |
Update to the latest
No writeups or analysis indexed.
2025-09-10
Published