CVE-2025-10210
Published: 10 September 2025
Summary
CVE-2025-10210 is a low-severity Injection (CWE-74) vulnerability in Chancms Chancms. Its CVSS base score is 2.1 (Low).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 24.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
A weakness has been identified in yanyutao0402 ChanCMS up to version 3.3.0 within the Search function of app/modules/api/service/Api.js. Manipulation of the key argument allows SQL injection, classified under CWE-74 and CWE-89. The flaw is remotely exploitable and carries a CVSS 4.0 score of 2.1 reflecting limited impact under low-privilege conditions, with a public exploit released after the vendor failed to respond to early disclosure.
Attackers with authenticated low-privileged access can supply crafted input to the affected API endpoint and execute arbitrary SQL commands against the backend database, potentially extracting or modifying data. The attack requires no user interaction and can be launched over the network.
Public references include proof-of-concept code on GitHub and detailed entries on Vuldb, confirming the issue and providing reproduction steps, though no official patches or mitigation guidance have been issued by the vendor.
The associated EPSS score rose from a low baseline to a peak of 0.0254 on 2025-12-11 before receding to 0.0089, indicating emerging exploitation interest after public disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-27604
Vulnerability details
A weakness has been identified in yanyutao0402 ChanCMS up to 3.3.0. Impacted is the function Search of the file app/modules/api/service/Api.js. Executing manipulation of the argument key can lead to sql injection. The attack can be launched remotely. The exploit has…
more
been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in public-facing ChanCMS API enables exploitation of public-facing web applications (T1190), abuse of server software components for SQL command execution (T1505), and data collection from databases (T1213.006).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and sanitization of the 'key' argument in Api.js Search to block crafted SQL payloads before execution.
Mandates timely remediation of the known SQL injection flaw in ChanCMS 3.3.0 once a patch or compensating code change becomes available.
Restricts the authenticated user's privileges so that a successful injection via the 'key' parameter yields only limited C/I/A impact within the application's scope.