CVE-2025-65602 — ChanCMS ≤ 3.3.4 Unauthenticated File Write Leading to Template Injection and RCE

Description

A template injection vulnerability exists in ChanCMS v3.3.4 and earlier. An unauthenticated attacker can write arbitrary files to the server using the /vip/v1/file/save API endpoint. By overwriting a template file under app/modules/web/view/default/*.html, the attacker can inject executable template code, which will be executed when the template is rendered, leading to Remote Code Execution (RCE).

This vulnerability can be exploited over the network and requires no authentication or user interaction.

Affected Versions

• ChanCMS ≤ v3.3.4

Affected Component

• Unauthenticated file-write API: /vip/v1/file/save
• Rendered templates at: app/modules/web/view/default/*.html

Vulnerability Type

• Unauthenticated arbitrary file write
• Template injection
• Remote Code Execution (RCE)

Attack Vector

The attacker can:

1. Send a crafted POST request to /vip/v1/file/save to overwrite template files.