CVE-2025-10211
published 2025-09-10CVE-2025-10211: A security vulnerability has been detected in yanyutao0402 ChanCMS 3.3.0. The affected element is the function CollectController of the file…
PriorityP278medium6.3CVSS 3.1
AVNACLPRLUINSUCLILAL
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
0.66%
46.7th percentile
A security vulnerability has been detected in yanyutao0402 ChanCMS 3.3.0. The affected element is the function CollectController of the file /cms/collect/getArticle. The manipulation of the argument taskUrl leads to server-side request forgery. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| chancms | chancms | — | — |
| yanyutao0402 | chancms | — | — |
Detection & IOCsextracted from sources · hover to see the quote
commandPOST /cms/collect/getArticle with body: {"taskUrl": "http://{{interactsh-url}}", "titleTag": "title", "articleTag": "body", "parseData": "return data;"}
othershodan: http.html:"ChanCMS"
otherfofa: body="ChanCMS"
- →Detect SSRF exploitation attempts by monitoring POST requests to /cms/collect/getArticle with a JSON body containing the 'taskUrl' parameter pointing to external or internal hosts.
- →A successful exploit response will contain both 'success' and 'article' in the response body with HTTP status 200; use out-of-band (OOB/OAST) DNS interaction to confirm blind SSRF.
- →The exploit requires no special privileges (no authentication needed), making unauthenticated POST requests to the endpoint a high-signal detection opportunity.
- →Content-Type header must be application/json for the attack request to be processed by the vulnerable endpoint.
- ·The vulnerability affects ChanCMS version 3.3.0 and below; the vendor did not respond to disclosure, so no official patch confirmation is available. ↗
- ·The Nuclei template uses interactsh for OOB DNS detection; environments without external DNS egress may not trigger the DNS-based matcher, requiring fallback to response-body matching ('success','article').
CVSS provenance
nvdv3.16.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
nvdv4.02.1LOWCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
vulncheck5.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-2f88-7653-v86f: A security vulnerability has been detected in yanyutao0402 ChanCMS 3
ghsa_unreviewed·2025-09-10
CVE-2025-10211 [MEDIUM] CWE-918 GHSA-2f88-7653-v86f: A security vulnerability has been detected in yanyutao0402 ChanCMS 3
A security vulnerability has been detected in yanyutao0402 ChanCMS 3.3.0. The affected element is the function CollectController of the file /cms/collect/getArticle. The manipulation of the argument taskUrl leads to server-side request forgery. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
VulnCheck
chancms chancms Server-Side Request Forgery (SSRF)
vulncheck·2025·CVSS 5.3
CVE-2025-10211 [MEDIUM] chancms chancms Server-Side Request Forgery (SSRF)
chancms chancms Server-Side Request Forgery (SSRF)
A security vulnerability has been detected in yanyutao0402 ChanCMS 3.3.0. The affected element is the function CollectController of the file /cms/collect/getArticle. The manipulation of the argument taskUrl leads to server-side request forgery. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Affected: chancms chancms
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2026-01-31&host_type=src&vulnerabil
No detection rules found.
Nuclei
ChanCMS <= 3.3.0 - Server-Side Request Forgery
nuclei·CVSS 5.3
CVE-2025-10211 [MEDIUM] ChanCMS <= 3.3.0 - Server-Side Request Forgery
ChanCMS <= 3.3.0 - Server-Side Request Forgery
yanyutao0402 ChanCMS 3.3.0 contains a server-side request forgery caused by manipulation of the "taskUrl" argument in /cms/collect/getArticle, letting remote attackers make arbitrary requests, exploit requires no special privileges.
Template:
id: CVE-2025-10211
info:
name: ChanCMS <= 3.3.0 - Server-Side Request Forgery
author: Yu_Bao
severity: medium
description: |
yanyutao0402 ChanCMS 3.3.0 contains a server-side request forgery caused by manipulation of the "taskUrl" argument in /cms/collect/getArticle, letting remote attackers make arbitrary requests, exploit requires no special privileges.
impact: |
Remote attackers can make arbitrary requests from the server, potentially accessing internal resources or sensitive data.
remediation: |
U
No writeups or analysis indexed.
2025-09-10
Published
Exploited in the wild