Skip to main content

ChanCMS CVE-2025-11904

LOW
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (CWE-74)
2025-10-17 cna@vuldb.com
SQLi Chancms
2.1
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Apr 29, 2026 - 01:34 vuln.today

DescriptionCVE.org

A vulnerability has been found in yanyutao0402 ChanCMS up to 3.3.2. This affects the function hasUse of the file /cms/model/hasUse. The manipulation of the argument ID leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

SQL injection in ChanCMS up to version 3.3.2 allows authenticated remote attackers to execute arbitrary SQL queries via the ID parameter in the /cms/model/hasUse function. The vulnerability has low immediate impact (CVSS 2.1) but carries elevated real-world risk due to publicly available exploit code, authenticated but network-accessible attack vector, and vendor non-responsiveness to disclosure. Exploitation requires valid user credentials but no user interaction or special conditions.

Technical ContextAI

ChanCMS is a content management system written in PHP. The vulnerability exists in the hasUse function located in /cms/model/hasUse, which processes user-supplied input via the ID parameter without proper sanitization or parameterized query protection. The root cause is classified as CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component), indicating the application fails to properly escape or bind SQL parameters before constructing dynamic database queries. The attack surface is the hasUse endpoint, accessible via HTTP/HTTPS to any authenticated user.

RemediationAI

No vendor-released patch is available due to vendor non-responsiveness to disclosure. Immediate remediation requires upgrading to a patched version if the vendor releases one; however, as of this analysis, no update path exists. For organizations unable to upgrade, implement the following compensating controls with documented trade-offs: (1) Restrict database user account permissions to READ-ONLY or least-privilege stored procedures only, limiting the damage SQL injection can cause to data modification or deletion (trade-off: may break legitimate hasUse functionality if it requires write access); (2) Implement Web Application Firewall (WAF) rules to block requests to /cms/model/hasUse containing SQL metacharacters (single quotes, semicolons, UNION, SELECT) in the ID parameter (trade-off: may generate false positives if legitimate ID values contain special characters); (3) Restrict access to the /cms/model/hasUse endpoint via network ACLs or reverse proxy authentication to trusted administrative users only (trade-off: reduces application functionality for end users). Monitor database logs for suspicious SQL patterns. Given the low vendor engagement, consider evaluating alternative CMS solutions.

Share

CVE-2025-11904 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy