VYPR
Vendor

Withstudiocms

Products
2
CVEs
8
Across products
8
Status
Private

Products

2

Recent CVEs

8
  • CVE-2026-32638Mar 18, 2026
    risk 0.00cvss epss 0.00

    StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.4, the REST API `getUsers` endpoint in StudioCMS uses the attacker-controlled `rank` query parameter to decide whether owner accounts should be filtered from the result set. As a…

  • CVE-2026-32104Mar 11, 2026
    risk 0.00cvss epss 0.00

    StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.3, the updateUserNotifications endpoint accepts a user ID from the request payload and uses it to update that user's notification preferences. It checks that the caller is logged…

  • CVE-2026-32106Mar 11, 2026
    risk 0.00cvss epss 0.00

    StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.3, the REST API createUser endpoint uses string-based rank checks that only block creating owner accounts, while the Dashboard API uses indexOf-based rank comparison that prevents…

  • CVE-2026-32103Mar 11, 2026
    risk 0.00cvss epss 0.00

    StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.3, the POST /studiocms_api/dashboard/create-reset-link endpoint allows any authenticated user with admin privileges to generate a password reset token for any other user,…

  • CVE-2026-32101Mar 11, 2026
    risk 0.00cvss epss 0.00

    StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.3.1, the S3 storage manager's isAuthorized() function is declared async (returns Promise) but is called without await in both the POST and PUT handlers. Since a Promise…

  • CVE-2026-30945Mar 10, 2026
    risk 0.00cvss epss 0.00

    StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.0, the DELETE /studiocms_api/dashboard/api-tokens endpoint allows any authenticated user with editor privileges or above to revoke API tokens belonging to any other user,…

  • CVE-2026-30944Mar 10, 2026
    risk 0.00cvss epss 0.01

    StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.0, the /studiocms_api/dashboard/api-tokens endpoint allows any authenticated user (at least Editor) to generate API tokens for any other user, including owner and admin accounts.…

  • CVE-2026-24134Jan 27, 2026
    risk 0.00cvss epss 0.00

    StudioCMS is a server-side-rendered, Astro native, headless content management system. Versions prior to 0.2.0 contain a Broken Object Level Authorization (BOLA) vulnerability in the Content Management feature that allows users with the "Visitor" role to access draft content…