| CVE-2025-57805 | Hig | 0.50 | — | 0.00 | | Aug 25, 2025 | The Scratch Channel is a news website. In versions 1 and 1.1, a POST request to the endpoint used to publish articles, can be used to post an article in any category with any date, regardless of who's logged in. This issue has been patched in version 1.2. |
| CVE-2025-59416 | Hig | 0.40 | — | 0.00 | | Sep 17, 2025 | The Scratch Channel is a news website. If the user makes a fork, they can change the admins and make an article. Since the API uses a POST request, it will make an article. This issue is fixed in v1.2. |
| CVE-2025-55301 | Med | 0.37 | 6.7 | 0.00 | | Aug 25, 2025 | The Scratch Channel is a news website. In version 1, it is possible to go to application in devtools and click local storage to edit the account's username locally. This issue has been patched in version 1.1. |
| CVE-2025-53903 | Low | 0.01 | — | 0.00 | | Jul 15, 2025 | The Scratch Channel is a news website that is under development as of time of this writing. The file `/api/users.js` doesn't properly sanitize text box inputs, leading to a potential vulnerability to cross-site scripting attacks. Commit 90b39eb56b27b2bac29001abb1a3cac0964b8ddb addresses this issue. |
