CVE-2025-57805 is a high-severity vulnerability affecting versions 1.0 and 1.1 of the tsc-web-client, the web client component of The-Scratch-Channel news website. The vulnerability stems from improper input validation (CWE-20) in the POST request handler responsible for publishing articles. Specifically, an unauthenticated attacker can craft a POST request to the article publishing endpoint to create articles in any category and with any publication date, bypassing authentication and authorization controls. This means that the attacker can inject arbitrary content into the news website, potentially misleading readers or damaging the site's credibility. The vulnerability does not require any user interaction or privileges, and it can be exploited remotely over the network. The issue was patched in version 1.2 of the tsc-web-client. The CVSS 4.0 base score is 8.7, reflecting the ease of exploitation (no authentication, no user interaction), network attack vector, and high impact on integrity (unauthorized content publication). There is no known exploitation in the wild yet, but the vulnerability poses a significant risk to the integrity and trustworthiness of the news platform.

For European organizations, especially media companies or news aggregators using The-Scratch-Channel's tsc-web-client versions prior to 1.2, this vulnerability could lead to unauthorized publication of false or misleading news articles. This can severely damage brand reputation, misinform the public, and potentially influence public opinion or market behavior. Regulatory compliance risks may also arise, particularly under the EU's Digital Services Act and GDPR, if manipulated content leads to misinformation or harms user trust. Furthermore, attackers could use this vulnerability as a vector for disinformation campaigns or to spread propaganda, which is a critical concern given the geopolitical climate in Europe. The integrity compromise could also facilitate further attacks if malicious content includes links or scripts targeting users. Availability and confidentiality impacts are minimal, but the high integrity impact alone makes this a serious threat for affected organizations.

Organizations should immediately upgrade the tsc-web-client to version 1.2 or later, where the input validation flaw has been patched. Until the upgrade is possible, implement strict network-level access controls to restrict access to the article publishing endpoint, allowing only trusted internal IPs or authenticated users. Employ Web Application Firewalls (WAFs) with custom rules to detect and block anomalous POST requests attempting to publish articles with unauthorized categories or dates. Conduct thorough logging and monitoring of article publication activities to detect suspicious or unauthorized posts promptly. Additionally, implement multi-factor authentication and role-based access controls on the content management system to reduce the risk of unauthorized access. Regularly audit published content for integrity and authenticity. Finally, educate editorial and IT staff about the vulnerability and response procedures.