Description
The Scratch Channel is a news website. In versions 1 and 1.1, a POST request to the endpoint used to publish articles, can be used to post an article in any category with any date, regardless of who's logged in. This issue has been patched in version 1.2.
References (1)
Core 1
Core References
Vendor Advisory x_refsource_confirm
https://github.com/The-Scratch-Channel/tsc-web-client/security/advisories/GHSA-h5rj-2466-qr23
Scores
CVSS v4
8.7
EPSS
0.0030
EPSS Percentile
21.5%
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-20
Status
published
Products (1)
The-Scratch-Channel/tsc-web-client
>= 1, < 1.2
Published
Aug 25, 2025
Tracked Since
Feb 18, 2026