CVE-2025-11905 is a code injection vulnerability identified in the ChanCMS content management system, versions 3.3.0 through 3.3.2. The vulnerability resides in the getArticle function within the gather.js controller module. This function improperly handles input, allowing an attacker to inject arbitrary code remotely. The attack vector requires no user interaction and no authentication, making it accessible to unauthenticated remote attackers. The vulnerability can lead to execution of malicious code on the server, potentially allowing attackers to manipulate or exfiltrate data, disrupt service, or pivot within the network. The CVSS 4.0 base score is 5.3 (medium), reflecting low attack complexity and privileges required, but limited impact on confidentiality, integrity, and availability. The vendor was contacted but did not respond or issue a patch, and public exploit code is available, increasing the risk of exploitation. No known active exploitation has been reported to date. The vulnerability affects installations of ChanCMS, a CMS product primarily used in Chinese-speaking markets and niche communities. The lack of vendor response and public exploit availability necessitate immediate attention from users of affected versions.

If exploited, this vulnerability could allow attackers to execute arbitrary code on servers running vulnerable versions of ChanCMS, potentially leading to unauthorized data access, data modification, or service disruption. This could compromise the confidentiality, integrity, and availability of affected systems. Organizations relying on ChanCMS for content management may face website defacement, data breaches, or use of compromised servers as footholds for further network intrusion. The medium severity rating indicates that while the vulnerability is serious, its impact is somewhat limited by the scope of affected systems and the level of privileges required. However, the availability of public exploit code and lack of vendor patch increase the risk of exploitation, especially in environments where ChanCMS is exposed to the internet without adequate protections. This could lead to reputational damage, regulatory compliance issues, and operational disruptions for affected organizations.

Since no official patch or update has been released by the vendor, organizations should implement immediate compensating controls. These include restricting network access to the ChanCMS application to trusted IP addresses, deploying web application firewalls (WAFs) with custom rules to detect and block suspicious input patterns targeting the getArticle function, and monitoring logs for unusual activity indicative of code injection attempts. Administrators should consider isolating or sandboxing the CMS environment to limit potential damage. Regular backups of CMS data and configurations should be maintained to enable recovery in case of compromise. Organizations should also evaluate alternative CMS platforms or upgrade plans once a vendor patch becomes available. Additionally, security teams should stay alert for any emerging exploit activity and apply threat intelligence to adjust defenses accordingly.