CVE-2025-8228 MEDIUM

CVE-2025-8228: yanyutao0402 ChanCMS getPages server-side request forgery

Vendor Yanyutao0402
Product ChanCMS
Weakness CWE-918 · SSRF
Published July 27, 2025
Last update July 28, 2025
View on NVD All CVEs

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P

What the vulnerability does

01Description

A vulnerability was found in yanyutao0402 ChanCMS up to 3.1.2. It has been rated as critical. Affected by this issue is the function getPages of the file /cms/collect/getPages. The manipulation of the argument targetUrl leads to server-side request forgery. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 3.1.3 is able to address this issue. It is recommended to upgrade the affected component.

Key dates

02Disclosure timeline

July 27, 2025 CVE published
July 28, 2025 Record updated

Related vulnerabilities

04Related CVE

CVE-2026-2654 huggingface smolagents LocalPythonExecutor requests.post server-side request forgery CVE-2025-53767 Azure OpenAI Elevation of Privilege Vulnerability CVE-2026-33644 Lychee has SSRF bypass via DNS rebinding — PhotoUrlRule only validates IP addresses, not hostnames resolving to internal IPs CVE-2025-13393 Featured Image from URL (FIFU) <= 5.3.1 - Authenticated (Contributor+) Server-Side Request Forgery via 'fifu_input_url' CVE-2023-25195 Apache Fineract: SSRF template type vulnerability in certain authenticated users