ChanCMS
CVE-2025-8266
LOW
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability has been found in yanyutao0402 ChanCMS up to 3.1.2 and classified as critical. Affected by this vulnerability is the function getArticle of the file app/modules/cms/controller/collect.js. The manipulation of the argument targetUrl leads to deserialization. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 3.1.3 is able to address this issue. It is recommended to upgrade the affected component.
AnalysisAI
Unsafe deserialization in ChanCMS up to version 3.1.2 allows authenticated remote attackers to achieve limited confidentiality, integrity, and availability impact via manipulation of the targetUrl parameter in the getArticle function of app/modules/cms/controller/collect.js. The CVSS score of 2.1 reflects constrained impact (low severity across all impact categories), but the low EPSS percentile (71%) and publicly available exploit code indicate real-world risk despite authentication requirement. Upgrading to version 3.1.3 resolves the issue.
Technical ContextAI
The vulnerability exists in the ChanCMS application's article collection module, specifically within the getArticle function that processes a targetUrl parameter. The underlying issue is unsafe deserialization (CWE-20: Improper Input Validation) where user-supplied input via the targetUrl argument is deserialized without proper validation or type checking. Deserialization flaws can enable arbitrary object instantiation and code execution depending on available gadget chains in the application's runtime environment. The attack vector is network-based and exploitable by authenticated users (PR:L per CVSS vector), targeting the /collect.js endpoint in the CMS module.
RemediationAI
Upgrade ChanCMS to version 3.1.3 or later, which addresses the deserialization vulnerability in the getArticle function. Patch availability is confirmed via the official Gitee release page (https://gitee.com/yanyutao0402/ChanCMS/releases/tag/V3.1.3). For organizations unable to immediately upgrade, implement network-level access controls restricting CMS module endpoints to trusted internal networks only, and enforce strict authentication and authorization for the collect.js endpoint. Audit user accounts with CMS access permissions and disable unnecessary service accounts. Consider disabling the article collection/scraping feature entirely if not in use, as this eliminates the attack surface. Monitor for suspicious deserialization activity or unexpected object instantiation in application logs. Each mitigation carries trade-offs: network restrictions may impact remote administration capabilities, account audits require operational overhead, and feature disabling may limit CMS functionality.
Share
External POC / Exploit Code
Leaving vuln.today