VYPR

Studiocms

by Withstudiocms

npm: studiocms

Source repositories

CVEs (7)

  • CVE-2026-32638Mar 18, 2026
    risk 0.00cvss epss 0.00

    StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.4, the REST API `getUsers` endpoint in StudioCMS uses the attacker-controlled `rank` query parameter to decide whether owner accounts should be filtered from the result set. As a…

  • CVE-2026-32104Mar 11, 2026
    risk 0.00cvss epss 0.00

    StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.3, the updateUserNotifications endpoint accepts a user ID from the request payload and uses it to update that user's notification preferences. It checks that the caller is logged…

  • CVE-2026-32106Mar 11, 2026
    risk 0.00cvss epss 0.00

    StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.3, the REST API createUser endpoint uses string-based rank checks that only block creating owner accounts, while the Dashboard API uses indexOf-based rank comparison that prevents…

  • CVE-2026-32103Mar 11, 2026
    risk 0.00cvss epss 0.00

    StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.3, the POST /studiocms_api/dashboard/create-reset-link endpoint allows any authenticated user with admin privileges to generate a password reset token for any other user,…

  • CVE-2026-30945Mar 10, 2026
    risk 0.00cvss epss 0.00

    StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.0, the DELETE /studiocms_api/dashboard/api-tokens endpoint allows any authenticated user with editor privileges or above to revoke API tokens belonging to any other user,…

  • CVE-2026-30944Mar 10, 2026
    risk 0.00cvss epss 0.01

    StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.0, the /studiocms_api/dashboard/api-tokens endpoint allows any authenticated user (at least Editor) to generate API tokens for any other user, including owner and admin accounts.…

  • CVE-2026-24134Jan 27, 2026
    risk 0.00cvss epss 0.00

    StudioCMS is a server-side-rendered, Astro native, headless content management system. Versions prior to 0.2.0 contain a Broken Object Level Authorization (BOLA) vulnerability in the Content Management feature that allows users with the "Visitor" role to access draft content…