CVE-2025-8226
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-07-27

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was found in yanyutao0402 ChanCMS up to 3.1.2. It has been classified as problematic. Affected is an unknown function of the file /sysApp/find. The manipulation of the argument accessKey/secretKey leads to information disclosure. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 3.1.3 is able to address this issue. It is recommended to upgrade the affected component.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-07-27
Last Modified
2026-04-29
Generated
2026-05-07
AI Q&A
2025-07-27
EPSS Evaluated
2026-05-05
NVD
CVE-2025-8226
EUVD
EUVD-2025-22817
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
chancms chancms to 3.1.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
CWE-NVD-CWE-noinfo
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2025-8226 is an information disclosure vulnerability in ChanCMS versions up to 3.1.2. It occurs in the API endpoint /sysApp/find, where manipulation of the accessKey and secretKey arguments allows unauthorized attackers to retrieve sensitive API credentials. This exposure can lead to full account takeover and abuse of associated cloud resources. The vulnerability can be exploited remotely and a proof-of-concept exploit is publicly available. Upgrading to version 3.1.3 fixes this issue. [1, 2, 3]


How can this vulnerability impact me? :

This vulnerability can lead to unauthorized disclosure of sensitive API credentials (accessKey and secretKey), enabling attackers to take over user accounts fully and potentially abuse cloud resources linked to those accounts. This can result in loss of control over your system, unauthorized actions performed on your behalf, and potential damage or misuse of your cloud infrastructure. [1, 3]


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by attempting to access the vulnerable API endpoint `/sysApp/find` and checking if sensitive credentials such as `accessKey` and `secretKey` are disclosed. A simple command to test this is using curl to send a request to the endpoint, for example: `curl http://<target-ip>:<port>/sysApp/find`. If the response contains accessKey or secretKey information, the system is vulnerable. [3]


What immediate steps should I take to mitigate this vulnerability?

The immediate step to mitigate this vulnerability is to upgrade ChanCMS to version 3.1.3, which addresses and fixes the information disclosure issue. Until the upgrade is applied, restrict access to the `/sysApp/find` endpoint and monitor for any unauthorized access attempts. [1, 2]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart