cbcvebase.
CVE-2025-10211
published 2025-09-10

CVE-2025-10211: A security vulnerability has been detected in yanyutao0402 ChanCMS 3.3.0. The affected element is the function CollectController of the file…

PriorityP278medium6.3CVSS 3.1
AVNACLPRLUINSUCLILAL
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
0.66%
46.7th percentile
A security vulnerability has been detected in yanyutao0402 ChanCMS 3.3.0. The affected element is the function CollectController of the file /cms/collect/getArticle. The manipulation of the argument taskUrl leads to server-side request forgery. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Affected

2 ranges
VendorProductVersion rangeFixed in
chancmschancms
yanyutao0402chancms

Detection & IOCsextracted from sources · hover to see the quote

url/cms/collect/getArticle
path/cms/collect/getArticle
commandPOST /cms/collect/getArticle with body: {"taskUrl": "http://{{interactsh-url}}", "titleTag": "title", "articleTag": "body", "parseData": "return data;"}
othershodan: http.html:"ChanCMS"
otherfofa: body="ChanCMS"
  • Detect SSRF exploitation attempts by monitoring POST requests to /cms/collect/getArticle with a JSON body containing the 'taskUrl' parameter pointing to external or internal hosts.
  • A successful exploit response will contain both 'success' and 'article' in the response body with HTTP status 200; use out-of-band (OOB/OAST) DNS interaction to confirm blind SSRF.
  • The exploit requires no special privileges (no authentication needed), making unauthenticated POST requests to the endpoint a high-signal detection opportunity.
  • Content-Type header must be application/json for the attack request to be processed by the vulnerable endpoint.
  • ·The vulnerability affects ChanCMS version 3.3.0 and below; the vendor did not respond to disclosure, so no official patch confirmation is available.
  • ·The Nuclei template uses interactsh for OOB DNS detection; environments without external DNS egress may not trigger the DNS-based matcher, requiring fallback to response-body matching ('success','article').

CVSS provenance

nvdv3.16.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
nvdv4.02.1LOWCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
vulncheck5.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.