CVE-2025-11904 is a SQL injection vulnerability identified in the ChanCMS content management system, versions 3.3.0 through 3.3.2. The flaw exists in the hasUse function located in the /cms/model/hasUse file, where the ID parameter is improperly validated or sanitized. This allows an attacker to inject malicious SQL code remotely, potentially manipulating backend databases. The vulnerability does not require authentication or user interaction, making it easier to exploit. The CVSS 4.0 base score is 5.3 (medium), reflecting a network attack vector with low attack complexity and no privileges required. The impact includes partial compromise of confidentiality, integrity, and availability of the CMS data. The vendor was notified early but has not issued a patch or response, and public exploit information is available, increasing the risk of exploitation. No known exploits are currently observed in the wild, but the public disclosure and lack of vendor response heighten urgency for mitigation. The vulnerability affects all installations running the specified versions of ChanCMS, which is a niche CMS product, likely used by small to medium organizations.

For European organizations using ChanCMS, this vulnerability poses a significant risk of unauthorized data access, data manipulation, or denial of service. Attackers exploiting this SQL injection can extract sensitive information, modify or delete data, or disrupt CMS operations, potentially leading to data breaches or service outages. Given the lack of vendor response and patches, organizations face prolonged exposure. The impact is particularly critical for entities managing personal data under GDPR, as breaches could result in regulatory penalties and reputational damage. Additionally, compromised CMS platforms can serve as footholds for further network intrusion or malware deployment. The medium severity score reflects moderate but tangible risk, especially for organizations relying on ChanCMS for public-facing websites or internal content management.

Since no official patches are available, European organizations should implement immediate compensating controls. These include: 1) Applying Web Application Firewall (WAF) rules to detect and block SQL injection attempts targeting the hasUse function and the ID parameter; 2) Conducting thorough input validation and sanitization on the ID parameter at the application or proxy level if possible; 3) Restricting network access to the CMS administration interfaces to trusted IPs or VPNs; 4) Monitoring logs for suspicious SQL queries or anomalous database activity; 5) Considering temporary disabling or restricting the vulnerable function if feasible; 6) Planning for an upgrade or migration to a patched or alternative CMS solution once available; 7) Educating administrators about the risk and signs of exploitation. Organizations should also maintain regular backups and have an incident response plan ready in case of compromise.