CVE-2025-8266
published 2025-07-28CVE-2025-8266: A vulnerability has been found in yanyutao0402 ChanCMS up to 3.1.2 and classified as critical. Affected by this vulnerability is the function getArticle of the…
PriorityP277medium6.3CVSS 3.1
AVNACLPRLUINSUCLILAL
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
0.97%
57.5th percentile
A vulnerability has been found in yanyutao0402 ChanCMS up to 3.1.2 and classified as critical. Affected by this vulnerability is the function getArticle of the file app/modules/cms/controller/collect.js. The manipulation of the argument targetUrl leads to deserialization. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 3.1.3 is able to address this issue. It is recommended to upgrade the affected component.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| chancms | chancms | < 3.1.3 | 3.1.3 |
| yanyutao0402 | chancms | — | — |
| yanyutao0402 | chancms | — | — |
| yanyutao0402 | chancms | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url/cms/gather/getArticle?targetUrl=http://jsonplaceholder.typicode.com/posts/1&parseData=return+process.mainModule.require(%27child_process%27).execSync(%27id%27).toString()↗
- →Detect exploitation attempts by monitoring HTTP requests to /cms/gather/getArticle with both 'targetUrl' and 'parseData' query parameters present, especially where 'parseData' contains Node.js RCE payloads (e.g., 'child_process', 'execSync', 'process.mainModule'). ↗
- →Use Shodan query 'html:"ChanCMS"' to identify internet-exposed ChanCMS instances potentially vulnerable to this RCE. ↗
- ·The exploit proof-of-concept uses an external SSRF callback domain (jsonplaceholder.typicode.com) as the 'targetUrl' value; real-world attackers may substitute any attacker-controlled URL, so detections should not rely on this specific domain. ↗
- ·The vulnerability is only present in ChanCMS versions up to and including 3.1.2; version 3.1.3 is patched and should not be flagged. ↗
CVSS provenance
nvdv3.16.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
nvdv4.02.1LOWCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
vulncheck5.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-pg2f-hfwm-m7g5: A vulnerability has been found in yanyutao0402 ChanCMS up to 3
ghsa_unreviewed·2025-07-28
CVE-2025-8266 [MEDIUM] CWE-20 GHSA-pg2f-hfwm-m7g5: A vulnerability has been found in yanyutao0402 ChanCMS up to 3
A vulnerability has been found in yanyutao0402 ChanCMS up to 3.1.2 and classified as critical. Affected by this vulnerability is the function getArticle of the file app/modules/cms/controller/collect.js. The manipulation of the argument targetUrl leads to deserialization. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 3.1.3 is able to address this issue. It is recommended to upgrade the affected component.
VulnCheck
chancms chancms Improper Input Validation
vulncheck·2025·CVSS 5.3
CVE-2025-8266 [MEDIUM] chancms chancms Improper Input Validation
chancms chancms Improper Input Validation
A vulnerability has been found in yanyutao0402 ChanCMS up to 3.1.2 and classified as critical. Affected by this vulnerability is the function getArticle of the file app/modules/cms/controller/collect.js. The manipulation of the argument targetUrl leads to deserialization. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 3.1.3 is able to address this issue. It is recommended to upgrade the affected component.
Affected: chancms chancms
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://tracker.crowdsec.net/cves/CVE-2025-8266
No detection rules found.
Nuclei
ChanCMS <= 3.1. - Remote Code Execution
nuclei·CVSS 5.3
CVE-2025-8266 [MEDIUM] ChanCMS <= 3.1. - Remote Code Execution
ChanCMS <= 3.1. - Remote Code Execution
yanyutao0402 ChanCMS <= 3.1.2 contains an insecure deserialization caused by manipulation of the \"targetUrl\" argument in getArticle function of app/modules/cms/controller/collect.js, letting remote attackers execute arbitrary code, exploit requires crafted input.
Template:
id: CVE-2025-8266
info:
name: ChanCMS <= 3.1. - Remote Code Execution
author: Ark
severity: critical
description: |
yanyutao0402 ChanCMS <= 3.1.2 contains an insecure deserialization caused by manipulation of the \"targetUrl\" argument in getArticle function of app/modules/cms/controller/collect.js, letting remote attackers execute arbitrary code, exploit requires crafted input.
impact: |
Remote attackers can execute arbitrary code, potentially leading to full system compromi
No writeups or analysis indexed.
2025-07-28
Published
Exploited in the wild