CVE-2025-11904 is a SQL injection vulnerability identified in the ChanCMS content management system maintained by yanyutao0402, affecting versions 3.3.0, 3.3.1, and 3.3.2. The flaw exists in the hasUse function located in the /cms/model/hasUse file, where the ID parameter is not properly sanitized before being incorporated into SQL queries. This improper input validation allows an unauthenticated remote attacker to inject arbitrary SQL commands, potentially manipulating the backend database. The vulnerability does not require user interaction or prior authentication, increasing its risk profile. The CVSS 4.0 base score is 5.3, reflecting a medium severity with network attack vector, low attack complexity, no privileges required, and no user interaction needed. The impact vector indicates limited confidentiality, integrity, and availability impacts, suggesting partial data exposure or modification rather than full system compromise. The vendor was contacted but did not respond, and no official patches or mitigations have been published yet. Public exploit code has been disclosed, increasing the risk of exploitation despite no known active attacks in the wild. This vulnerability highlights the importance of secure coding practices, especially input validation in CMS platforms that are often exposed to the internet and targeted by attackers.

The SQL injection vulnerability in ChanCMS can allow attackers to execute arbitrary SQL commands remotely, potentially leading to unauthorized data access, data modification, or deletion. This can compromise the confidentiality of sensitive information stored in the CMS database, such as user credentials, content, or configuration data. Integrity may be impacted by unauthorized changes to database records, which could disrupt website functionality or content accuracy. Availability could be affected if attackers execute commands that degrade database performance or cause crashes. Since no authentication is required, any attacker with network access to the CMS can attempt exploitation, increasing the attack surface. Organizations relying on ChanCMS for website management risk data breaches, defacement, or service disruption if this vulnerability is exploited. The lack of vendor response and patches further elevates the risk, as users may remain exposed for extended periods. Although no active exploits are currently known, the public disclosure of exploit code could lead to opportunistic attacks, especially against less-secured or unmonitored installations.

Organizations using ChanCMS versions 3.3.0 through 3.3.2 should immediately audit their installations for exposure to this vulnerability. Since no official patch is available, users should consider the following mitigations: 1) Implement Web Application Firewall (WAF) rules to detect and block suspicious SQL injection patterns targeting the hasUse function and the ID parameter. 2) Restrict network access to the CMS backend to trusted IP addresses where feasible, reducing exposure to remote attackers. 3) Conduct thorough input validation and sanitization at the application or database layer if possible, applying parameterized queries or prepared statements to prevent injection. 4) Monitor logs for unusual database queries or error messages indicative of injection attempts. 5) Plan for an upgrade or migration to a patched or alternative CMS solution once available. 6) Regularly back up CMS data to enable recovery in case of data corruption or loss. 7) Educate administrators about the vulnerability and encourage vigilance against suspicious activity. These steps provide layered defense until an official patch or update is released by the vendor.