CVE-2025-10210

MEDIUM NUCLEI

Chancms < 3.3.0 - Injection

Title source: rule

Description

A weakness has been identified in yanyutao0402 ChanCMS up to 3.3.0. Impacted is the function Search of the file app/modules/api/service/Api.js. Executing manipulation of the argument key can lead to sql injection. The attack can be launched remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way.

Nuclei Templates (1)

ChanCMS <= 3.3.0 - SQL Injection

MEDIUMVERIFIEDby Yu_Bao

Shodan: http.html:"ChanCMS"

FOFA: body="ChanCMS"

References (5)

[Broken Link] https://github.com/August829/Yu/blob/main/58ead8e7e08bfb0e5.md

[Broken Link] https://github.com/August829/Yu/blob/main/58ead8e7e08bfb0e5.md#poc

[Permissions Required, VDB Entry] https://vuldb.com/?ctiid.323483

[Third Party Advisory, VDB Entry] https://vuldb.com/?id.323483

[Third Party Advisory, VDB Entry] https://vuldb.com/?submit.639777

Scores

CVSS v3 6.3

EPSS 0.0062

EPSS Percentile 70.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Details

CWE

CWE-74 CWE-89

Status published

Products (1)

chancms/chancms < 3.3.0

Published Sep 10, 2025

Tracked Since Feb 18, 2026