CVE-2025-8266 (CVSS 9.8) is an unauthenticated remote code execution vulnerability via unsafe deserialization in ChanCMS’s getArticle function, affecting all versions through 3.1.2, with active exploitation confirmed in both CISA KEV and VulnCheck KEV and a public proof-of-concept available. The targetUrl parameter in the collect controller is passed to an unsafe deserialization operation without sanitization, enabling arbitrary code execution on any internet-facing ChanCMS instance. Upgrade to version 3.1.3 immediately and treat any instance that was internet-exposed prior to patching as potentially compromised.