cbcvebase.
CVE-2025-10210
published 2025-09-10

CVE-2025-10210: A weakness has been identified in yanyutao0402 ChanCMS up to 3.3.0. Impacted is the function Search of the file app/modules/api/service/Api.js. Executing…

PriorityP265high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
1.20%
64.2th percentile
A weakness has been identified in yanyutao0402 ChanCMS up to 3.3.0. Impacted is the function Search of the file app/modules/api/service/Api.js. Executing manipulation of the argument key can lead to sql injection. The attack can be launched remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way.

Affected

5 ranges
VendorProductVersion rangeFixed in
chancmschancms<= 3.3.0
yanyutao0402chancms
yanyutao0402chancms
yanyutao0402chancms
yanyutao0402chancms

Detection & IOCsextracted from sources · hover to see the quote

path/api/v1/search?key=%27%20and%20extractvalue(1,concat(0x7e,%27{{rstr}}%27,0x7e))--%20a
pathapp/modules/api/service/Api.js
  • SQL injection payload uses XPATH error-based extraction via extractvalue(); detect by matching both a random string and 'XPATH syntax' in the HTTP response body.
  • Attack targets the GET parameter 'key' in the /api/v1/search endpoint; monitor for single-quote characters and SQL keywords (e.g., extractvalue, concat) in that parameter.
  • HTTP response status codes 200 or 500 combined with XPATH error text in the body indicate successful exploitation of the error-based SQLi.
  • ·The Nuclei template uses a dynamic random string (md5 of rand_base) as a canary value; static signatures must account for this variability and instead match the 'XPATH syntax' error string alongside any hex-encoded concat pattern.
  • ·The vulnerability affects ChanCMS versions up to and including 3.3.0 only; version checks should be applied before alerting to reduce false positives.
  • ·The exploit requires an authenticated (low-privilege) request (CVSS PR:L); unauthenticated probes to /api/v1/search will not reproduce the vulnerability.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.02.1LOWCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.