Cyber Resilience

CVE-2025-10210

Low

Published: 10 September 2025

Published
10 September 2025
Modified
29 April 2026
KEV Added
Patch
CVSS Score v4 2.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0089 75.9th percentile
Risk Priority 5 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-10210 is a low-severity Injection (CWE-74) vulnerability in Chancms Chancms. Its CVSS base score is 2.1 (Low).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 24.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

A weakness has been identified in yanyutao0402 ChanCMS up to version 3.3.0 within the Search function of app/modules/api/service/Api.js. Manipulation of the key argument allows SQL injection, classified under CWE-74 and CWE-89. The flaw is remotely exploitable and carries a CVSS 4.0 score of 2.1 reflecting limited impact under low-privilege conditions, with a public exploit released after the vendor failed to respond to early disclosure.

Attackers with authenticated low-privileged access can supply crafted input to the affected API endpoint and execute arbitrary SQL commands against the backend database, potentially extracting or modifying data. The attack requires no user interaction and can be launched over the network.

Public references include proof-of-concept code on GitHub and detailed entries on Vuldb, confirming the issue and providing reproduction steps, though no official patches or mitigation guidance have been issued by the vendor.

The associated EPSS score rose from a low baseline to a peak of 0.0254 on 2025-12-11 before receding to 0.0089, indicating emerging exploitation interest after public disclosure.

EU & UK References

Vulnerability details

A weakness has been identified in yanyutao0402 ChanCMS up to 3.3.0. Impacted is the function Search of the file app/modules/api/service/Api.js. Executing manipulation of the argument key can lead to sql injection. The attack can be launched remotely. The exploit has…

more

been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505 Server Software Component Persistence
Adversaries may abuse legitimate extensible development features of servers to establish persistent access to systems.
T1213.006 Databases Collection
Adversaries may leverage databases to mine valuable information.
Why these techniques?

SQL injection in public-facing ChanCMS API enables exploitation of public-facing web applications (T1190), abuse of server software components for SQL command execution (T1505), and data collection from databases (T1213.006).

CVEs Like This One

CVE-2025-8227Same product: Chancms Chancms
CVE-2025-65602Same product: Chancms Chancms
CVE-2025-0410Shared CWE-74, CWE-89
CVE-2025-2034Shared CWE-74, CWE-89
CVE-2025-0486Shared CWE-74, CWE-89
CVE-2025-1185Shared CWE-74, CWE-89
CVE-2025-2389Shared CWE-74, CWE-89
CVE-2025-0558Shared CWE-74, CWE-89
CVE-2025-2391Shared CWE-74, CWE-89
CVE-2025-2066Shared CWE-74, CWE-89

Affected Assets

chancms
chancms
≤ 3.3.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of the 'key' argument in Api.js Search to block crafted SQL payloads before execution.

respondrecover

Mandates timely remediation of the known SQL injection flaw in ChanCMS 3.3.0 once a patch or compensating code change becomes available.

prevent

Restricts the authenticated user's privileges so that a successful injection via the 'key' parameter yields only limited C/I/A impact within the application's scope.

References