CVE-2025-59416 HIGH

CVE-2025-59416: The Scratch Channel forks can publish articles

Vendor The-Scratch-Channel

Product tsc-web-client

Weakness CWE-862 · Missing authorization

Published September 17, 2025

Last update September 17, 2025

View on NVD All CVEs

CVSS base score

7.2/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:H/SC:H/SI:N/SA:H

What the vulnerability does

01Description

The Scratch Channel is a news website. If the user makes a fork, they can change the admins and make an article. Since the API uses a POST request, it will make an article. This issue is fixed in v1.2.

Key dates

02Disclosure timeline

September 17, 2025 CVE published

September 17, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-59416

Related vulnerabilities

04Related CVE

CVE-2025-15369 Xpro Addons — 140+ Widgets for Elementor <= 1.5.0 - Missing Authorization to Unauthenticated Xpro Template Creation CVE-2024-8999 Improper Access Control in lunary-ai/lunary CVE-2025-41338 Missing Authorization vulnerability in CanalDenuncia.app CVE-2025-69364 WordPress Breeze plugin <= 2.2.21 - Broken Access Control vulnerability CVE-2024-35741 WordPress Awesome Support plugin <= 6.1.7 - Broken Access Control vulnerability