Last Week in AppSec for 07. October 2025

**Checkmarx bulletin:** Two high-risk vulnerabilities were reported: Django CVE-2025-59681 (SQL injection via attacker-controlled alias names in QuerySet APIs on MySQL/MariaDB, CVSS 7.1) — upgrade to 4.2.25, 5.1.13, or 5.2.7 and avoid passing user input into alias names; and FreshRSS CVE-2025-54875 (unauthenticated admin account creation via a hidden registration field when self-registration is enabled, CVSS 9.8) — fixed in 1.27.0; if unable to patch, disable self-registration, block the parameter, audit logs for suspicious registrations, and review admin accounts and credentials.