CVE-2025-10210
Published: 10 September 2025
Summary
CVE-2025-10210 is a medium-severity Injection (CWE-74) vulnerability in Chancms Chancms. Its CVSS base score is 6.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 23.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Penetration testing uses SQL injection payloads against database interfaces, identifying and supporting fixes for SQL injection weaknesses.
Developer assessments and testing (including injection-focused techniques) identify improper neutralization of special elements, and the verifiable flaw remediation corrects them pre-deployment.
Validates query inputs to prevent SQL syntax or command manipulation.
Identifies indicators of injection attacks (command, SQL, LDAP, etc.) via anomaly and attack monitoring.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in public-facing ChanCMS API enables exploitation of public-facing web applications (T1190), abuse of server software components for SQL command execution (T1505), and data collection from databases (T1213.006).
NVD Description
A weakness has been identified in yanyutao0402 ChanCMS up to 3.3.0. Impacted is the function Search of the file app/modules/api/service/Api.js. Executing manipulation of the argument key can lead to sql injection. The attack can be launched remotely. The exploit has…
more
been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way.
Deeper analysisAI
CVE-2025-10210 is a SQL injection vulnerability affecting yanyutao0402 ChanCMS versions up to 3.3.0. The issue resides in the Search function within the file app/modules/api/service/Api.js, where manipulation of the 'key' argument enables injection. Classified under CWE-74 (Improper Neutralization of Special Elements used in an SQL Command) and CWE-89 (SQL Injection), it carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L) and was published on 2025-09-10.
The vulnerability can be exploited remotely by attackers with low privileges, such as authenticated users, requiring no user interaction. Successful exploitation allows limited impacts on confidentiality, integrity, and availability, potentially enabling unauthorized data access, modification, or disruption within the scope of the attacker's privileges via crafted SQL payloads in the 'key' parameter.
Advisories from VulDB and a GitHub repository detail the issue, including a public proof-of-concept exploit. No vendor response or patch has been issued despite early disclosure notification, leaving affected systems without official mitigation; practitioners should review the references for POC details and consider input validation, prepared statements, or system upgrades where feasible.
A publicly available exploit increases the risk of active targeting, though no confirmed real-world exploitation has been reported in the available data.
Details
- CWE(s)