Skip to main content

ChanCMS CVE-2025-11903

LOW
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (CWE-74)
2025-10-17 cna@vuldb.com
SQLi Chancms
2.1
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Apr 29, 2026 - 02:18 vuln.today

DescriptionCVE.org

A flaw has been found in yanyutao0402 ChanCMS up to 3.3.2. Affected by this issue is the function update of the file /cms/article/update. Executing a manipulation of the argument cid can lead to sql injection. The attack can be launched remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

SQL injection in ChanCMS up to version 3.3.2 allows authenticated remote attackers to manipulate the cid parameter in the /cms/article/update endpoint, enabling arbitrary database queries with limited confidentiality and integrity impact. The vulnerability requires valid user authentication and has publicly available exploit code, but carries low real-world risk due to the CVSS 2.1 score and minimal EPSS probability (0.02%). The vendor has not responded to early disclosure notifications.

Technical ContextAI

ChanCMS is a content management system vulnerable to SQL injection via improper input validation on the cid parameter. The vulnerability exploits CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component, also known as injection flaws). The /cms/article/update endpoint processes the cid argument without adequate sanitization, allowing attackers to inject arbitrary SQL commands. The affected versions range up to 3.3.2, as identified by CPE cpe:2.3:a:chancms:chancms:*:*:*:*:*:*:*:*. The injection point occurs during article update operations, where user-controlled input reaches the database query layer without proper parameterization or escaping.

RemediationAI

No vendor-released patch is available at this time due to the vendor's lack of response to disclosure. Organizations running ChanCMS 3.3.2 or earlier should immediately implement input validation and parameterized query controls at the application layer to neutralize the SQL injection vector in the /cms/article/update endpoint. A temporary compensating control is to restrict network access to the /cms/article/update endpoint via Web Application Firewall (WAF) rules that block requests with suspicious SQL metacharacters in the cid parameter (such as single quotes, double dashes, UNION keywords), though this may cause false positives and does not address all injection variants. Alternatively, disable the article update feature entirely if not essential to operations, or restrict update functionality to administrative accounts only and implement strict role-based access controls. Monitor database query logs for anomalous SQL patterns targeting the article table. The recommended long-term solution is to migrate to an actively maintained CMS fork or alternative system that includes SQL injection defenses, as the original ChanCMS project appears abandoned.

Share

CVE-2025-11903 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy