Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability was found in yanyutao0402 ChanCMS up to 3.1.2. It has been rated as critical. Affected by this issue is the function delfile of the file app/extend/utils.js. The manipulation leads to path traversal. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 3.1.3 is able to address this issue. The name of the patch is c8a282bf02a62b59ec60b4699e91c51aff2ee9cd. It is recommended to upgrade the affected component.
AnalysisAI
Path traversal in ChanCMS up to version 3.1.2 allows authenticated remote attackers to read or modify arbitrary files via the delfile function in app/extend/utils.js, with publicly available exploit code disclosed. CVSS score of 2.1 reflects low impact (integrity and availability limited to low confidentiality) and requirement for authenticated access, though the vulnerability affects a core file deletion utility. Vendor-released patch available in version 3.1.3.
Technical ContextAI
ChanCMS is a content management system written in Node.js. The vulnerability exists in the delfile function within app/extend/utils.js, a utility module that handles file deletion operations. The root cause is CWE-22 (Improper Limitation of a Pathname to a Restricted Directory / Path Traversal), meaning the function fails to properly validate or sanitize file path inputs before processing deletion requests. An authenticated attacker can supply crafted path traversal sequences (e.g., '../../../') in parameters passed to delfile, allowing the function to access and delete files outside the intended application directory structure. The attack vector is network-based with low complexity and requires authenticated user privileges (PR:L per CVSS 4.0 vector).
RemediationAI
Upgrade ChanCMS to version 3.1.3 or later immediately. The vendor-released patch is available via the official Gitee repository (https://gitee.com/yanyutao0402/ChanCMS/releases/tag/V3.1.3), with the specific patch commit c8a282bf02a62b59ec60b4699e91c51aff2ee9cd addressing the path traversal vulnerability. As an interim compensating control pending patching, restrict user access to ChanCMS administrative or file management functions to only trusted internal staff, and implement file system permissions to limit the scope of deletable files (e.g., read-only or restricted-write ACLs on sensitive system directories outside the ChanCMS application folder). Review access logs and audit user privilege assignments to identify any accounts with unnecessary file deletion permissions, and consider disabling the delfile function entirely if not actively used. These controls mitigate attack impact but do not eliminate the vulnerability; patching is essential.
Share
External POC / Exploit Code
Leaving vuln.today