CVE-2025-57805

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-57805

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-57805.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-57805

Aliases

GHSA-h5rj-2466-qr23

Published

2025-08-25T21:15:50.878Z

Modified

2026-04-10T05:31:11.876678Z

Severity

8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N CVSS Calculator

Summary

The Scratch Channel's Publish Articles POST Request Can Upload Articles Without Validation

Details

The Scratch Channel is a news website. In versions 1 and 1.1, a POST request to the endpoint used to publish articles, can be used to post an article in any category with any date, regardless of who's logged in. This issue has been patched in version 1.2.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/57xxx/CVE-2025-57805.json",
    "cwe_ids": [
        "CWE-20"
    ],
    "cna_assigner": "GitHub_M"
}

References

Affected packages

Git / github.com/the-scratch-channel/tsc-web-client

Affected ranges

Type

GIT

Repo

https://github.com/the-scratch-channel/tsc-web-client

Events

Introduced

83a36cfda1b348f617ac353bd27c482889385829

Fixed

020d2c4c19016b37985d096882eb2830a6df1212

Database specific

{
    "versions": [
        {
            "introduced": "1"
        },
        {
            "fixed": "1.2"
        }
    ]
}

Affected versions

Other

v1.*

v1.1

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-57805.json"