Is there a public PoC exploit available for CVE-2025-8227?

Yes, a public proof-of-concept exploit is available for CVE-2025-8227. Prioritise patching immediately. EPSS: 0.2%.

ChanCMS CVE-2025-8227

Q: What is the CVSS score of CVE-2025-8227?

CVE-2025-8227 has a CVSS 4.0 base score of 2.1 (Low). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.2%.

LOW

Improper Input Validation (CWE-20)

2025-07-27 cna@vuldb.com

Deserialization Chancms

2.1

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

2.1 LOW

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Analysis Generated

Apr 29, 2026 - 01:50 vuln.today

DescriptionCVE.org

A vulnerability was found in yanyutao0402 ChanCMS up to 3.1.2. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /collect/getArticle. The manipulation of the argument taskUrl leads to deserialization. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 3.1.3 is able to address this issue. The patch is named 33d9bb464353015aaaba84e27638ac9a3912795d. It is recommended to upgrade the affected component.

AnalysisAI

Unsafe deserialization in ChanCMS up to version 3.1.2 allows authenticated remote attackers to trigger deserialization vulnerabilities via the taskUrl parameter in the /collect/getArticle endpoint, potentially leading to code execution. The vulnerability has limited confidentiality, integrity, and availability impact per CVSS 4.0 scoring (2.1 score). Publicly available exploit code exists, and the vendor has released patched version 3.1.3.

Technical ContextAI

The vulnerability exists in ChanCMS, a content management system, specifically in the /collect/getArticle file handler. The root cause is improper input validation (CWE-20) of the taskUrl parameter, which is processed through unsafe deserialization logic. Deserialization vulnerabilities occur when untrusted data is reconstructed into objects without proper validation, allowing attackers to instantiate arbitrary classes and trigger unintended code execution paths. The vulnerability requires authenticated access (CVSS PR:L) and network accessibility but does not require user interaction. The exploit has been publicly disclosed through the project's issue tracker.

RemediationAI

Upgrade ChanCMS to version 3.1.3 or later, which includes the patched commit 33d9bb464353015aaaba84e27638ac9a3912795d. The patched version is available at https://gitee.com/yanyutao0402/ChanCMS/tree/V3.1.3. No workarounds for this deserialization vulnerability are documented; upgrading is the recommended remediation path. During the upgrade window, restrict network access to the /collect/getArticle endpoint to trusted administrative networks only, and audit authentication logs for suspicious access patterns to this endpoint using low-privilege accounts.

CVE-2025-8227 vulnerability details – vuln.today

Back