CVE-2025-65602
CRITICALChanCMS 3.3.4 - Unauthenticated Remote Code Execution via Template Injection in /vip/v1/file/save
Title source: llmDescription
A template injection vulnerability in the /vip/v1/file/save component of ChanCMS v3.3.4 allows attackers to execute arbitrary code via a crafted POST request.
References (3)
Core 3
Core References
Permissions Required
https://www.notion.so/ChanCMS-Unauthenticated-RCE-2a3ee9235ba380fc9973e16c06258689
Scores
CVSS v3
9.8
EPSS
0.0045
EPSS Percentile
35.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
total
Details
CWE
CWE-1336
CWE-94
Status
published
Products (1)
chancms/chancms
3.3.4
Published
Dec 10, 2025
Tracked Since
Feb 18, 2026