cbcvebase.
CVE-2025-8266
published 2025-07-28

CVE-2025-8266: A vulnerability has been found in yanyutao0402 ChanCMS up to 3.1.2 and classified as critical. Affected by this vulnerability is the function getArticle of the…

PriorityP277medium6.3CVSS 3.1
AVNACLPRLUINSUCLILAL
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
0.97%
57.5th percentile
A vulnerability has been found in yanyutao0402 ChanCMS up to 3.1.2 and classified as critical. Affected by this vulnerability is the function getArticle of the file app/modules/cms/controller/collect.js. The manipulation of the argument targetUrl leads to deserialization. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 3.1.3 is able to address this issue. It is recommended to upgrade the affected component.

Affected

4 ranges
VendorProductVersion rangeFixed in
chancmschancms< 3.1.33.1.3
yanyutao0402chancms
yanyutao0402chancms
yanyutao0402chancms

Detection & IOCsextracted from sources · hover to see the quote

pathapp/modules/cms/controller/collect.js
url/cms/gather/getArticle?targetUrl=http://jsonplaceholder.typicode.com/posts/1&parseData=return+process.mainModule.require(%27child_process%27).execSync(%27id%27).toString()
commandprocess.mainModule.require('child_process').execSync('id').toString()
  • Detect exploitation attempts by monitoring HTTP requests to /cms/gather/getArticle with both 'targetUrl' and 'parseData' query parameters present, especially where 'parseData' contains Node.js RCE payloads (e.g., 'child_process', 'execSync', 'process.mainModule').
  • Use Shodan query 'html:"ChanCMS"' to identify internet-exposed ChanCMS instances potentially vulnerable to this RCE.
  • ·The exploit proof-of-concept uses an external SSRF callback domain (jsonplaceholder.typicode.com) as the 'targetUrl' value; real-world attackers may substitute any attacker-controlled URL, so detections should not rely on this specific domain.
  • ·The vulnerability is only present in ChanCMS versions up to and including 3.1.2; version 3.1.3 is patched and should not be flagged.

CVSS provenance

nvdv3.16.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
nvdv4.02.1LOWCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
vulncheck5.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.