ChanCMS
CVE-2025-11902
LOW
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability was detected in yanyutao0402 ChanCMS up to 3.3.2. Affected by this vulnerability is the function findField of the file /cms/article/findField. Performing a manipulation of the argument cid results in sql injection. The attack can be initiated remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
SQL injection in ChanCMS up to version 3.3.2 allows authenticated remote attackers to manipulate the cid parameter in the /cms/article/findField endpoint, enabling arbitrary database queries with limited confidentiality and integrity impact. The vulnerability requires valid user authentication (PR:L in CVSS 4.0) and publicly available exploit code exists, but real-world exploitation risk remains low due to minimal data confidentiality/integrity impact (VC:L/VI:L) and only 0.02% EPSS exploitation probability, suggesting this is a low-priority SQL injection compared to unauthenticated or higher-impact variants.
Technical ContextAI
ChanCMS is a content management system developed by yanyutao0402. The vulnerability exists in the findField function within the /cms/article/findField endpoint, which improperly handles the cid (category ID) parameter without sufficient input validation or parameterized query protection. The root cause is CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component), indicating that user-supplied input is not properly sanitized before being incorporated into SQL queries. This allows attackers to inject arbitrary SQL syntax through the cid parameter to manipulate database operations.
RemediationAI
Upgrade ChanCMS to a patched version above 3.3.2 if available from the vendor; however, no specific vendor-released patch version is documented in available advisories, and the vendor's non-responsiveness suggests patch availability is uncertain. As an immediate compensating control, restrict access to the /cms/article/findField endpoint to trusted users only via firewall or web application firewall (WAF) rules, reducing the attack surface by limiting which authenticated users can invoke the vulnerable function. Implement input validation on the cid parameter to enforce numeric-only values and reject special characters commonly used in SQL injection (quotes, dashes, asterisks, parentheses). Apply parameterized queries or prepared statements in the findField function code to separate SQL logic from user input, ensuring that the cid parameter is treated as data, not executable SQL. If source code access is available, conduct a code review of all database query construction in ChanCMS to identify similar SQL injection patterns elsewhere in the application.
Share
External POC / Exploit Code
Leaving vuln.today