CVE-2025-10210 is a SQL Injection vulnerability identified in the ChanCMS content management system developed by yanyutao0402, affecting versions up to and including 3.3.0. The vulnerability resides in the Search function within the file app/modules/api/service/Api.js. Specifically, the issue arises from improper sanitization or validation of the 'key' argument passed to this function, allowing an attacker to manipulate the input and inject malicious SQL commands. This flaw enables remote attackers to execute arbitrary SQL queries on the backend database without requiring user interaction or authentication, as indicated by the CVSS vector. The vendor was notified early but has not responded or provided a patch, and while the exploit code has been publicly released, there are no confirmed reports of exploitation in the wild to date. The CVSS 4.0 base score is 5.3, categorizing the vulnerability as medium severity. The attack vector is network-based with low attack complexity and no privileges or user interaction needed, but the impact on confidentiality, integrity, and availability is limited, likely due to partial mitigations or the nature of the vulnerable code path. This vulnerability could allow attackers to extract sensitive data, modify database contents, or disrupt service availability depending on the database privileges of the CMS application. Given the public availability of exploit code and lack of vendor response, the risk of exploitation may increase over time.

For European organizations using ChanCMS versions 3.0 through 3.3.0, this vulnerability poses a tangible risk of unauthorized data access and potential data manipulation. Organizations in sectors handling sensitive personal data, such as healthcare, finance, or government, could face data breaches leading to regulatory penalties under GDPR. The ability to execute SQL injection remotely without authentication increases the attack surface, especially for publicly accessible CMS instances. Even though the CVSS score is medium, the presence of publicly available exploit code and no vendor patch elevates the risk profile. Attackers could leverage this vulnerability to extract confidential information, deface websites, or disrupt services, impacting business continuity and reputation. European entities relying on ChanCMS for web content management should consider this a priority vulnerability to address, as exploitation could lead to data leaks or service outages, which are critical concerns under European data protection and cybersecurity frameworks.

Since no official patch or vendor response is available, European organizations should implement immediate compensating controls. These include: 1) Restricting access to the vulnerable Search API endpoint via network-level controls such as web application firewalls (WAFs) configured with SQL injection detection and blocking rules tailored to ChanCMS query patterns; 2) Employing input validation and sanitization proxies or reverse proxies that can filter malicious payloads targeting the 'key' parameter; 3) Monitoring and logging all requests to the Search function for anomalous patterns indicative of injection attempts; 4) If feasible, temporarily disabling or restricting the Search functionality until a patch is available; 5) Conducting thorough code reviews and applying manual sanitization in custom deployments; 6) Isolating the CMS database with least privilege principles to limit the damage potential of any successful injection; 7) Planning for migration or upgrade to a patched version once available or considering alternative CMS platforms with active security maintenance. Additionally, organizations should maintain up-to-date backups and incident response plans to quickly recover from potential exploitation.