Studiocms

Studiocms

8 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
2.7

CVE-2026-32638

Exploit
  • EPSS 0.01%
  • Veröffentlicht 18.03.2026 20:41:14
  • Zuletzt bearbeitet 19.03.2026 18:40:31

StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.4, the REST API `getUsers` endpoint in StudioCMS uses the attacker-controlled `rank` query parameter to decide whether owner accounts should be filter...

5.4

CVE-2026-32104

Exploit
  • EPSS 0.02%
  • Veröffentlicht 11.03.2026 20:09:44
  • Zuletzt bearbeitet 17.03.2026 15:35:38

StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.3, the updateUserNotifications endpoint accepts a user ID from the request payload and uses it to update that user's notification preferences. It chec...

7.2

CVE-2026-32106

Exploit
  • EPSS 0.02%
  • Veröffentlicht 11.03.2026 20:09:12
  • Zuletzt bearbeitet 17.03.2026 15:36:52

StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.3, the REST API createUser endpoint uses string-based rank checks that only block creating owner accounts, while the Dashboard API uses indexOf-based ...

7.2

CVE-2026-32103

Exploit
  • EPSS 0.01%
  • Veröffentlicht 11.03.2026 20:06:58
  • Zuletzt bearbeitet 17.03.2026 15:36:29

StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.3, the POST /studiocms_api/dashboard/create-reset-link endpoint allows any authenticated user with admin privileges to generate a password reset token...

6.3

CVE-2026-32101

Exploit
  • EPSS 0.05%
  • Veröffentlicht 11.03.2026 20:03:05
  • Zuletzt bearbeitet 17.03.2026 15:24:39

StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.3.1, the S3 storage manager's isAuthorized() function is declared async (returns Promise<boolean>) but is called without await in both the POST and PUT ...

7.1

CVE-2026-30945

Exploit
  • EPSS 0.05%
  • Veröffentlicht 10.03.2026 16:52:14
  • Zuletzt bearbeitet 17.03.2026 16:17:30

StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.0, the DELETE /studiocms_api/dashboard/api-tokens endpoint allows any authenticated user with editor privileges or above to revoke API tokens belongin...

8.8

CVE-2026-30944

Exploit
  • EPSS 0.05%
  • Veröffentlicht 10.03.2026 16:48:55
  • Zuletzt bearbeitet 17.03.2026 16:14:35

StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.0, the /studiocms_api/dashboard/api-tokens endpoint allows any authenticated user (at least Editor) to generate API tokens for any other user, includi...

6.5

CVE-2026-24134

Exploit
  • EPSS 0.04%
  • Veröffentlicht 27.01.2026 23:34:55
  • Zuletzt bearbeitet 17.03.2026 15:39:51

StudioCMS is a server-side-rendered, Astro native, headless content management system. Versions prior to 0.2.0 contain a Broken Object Level Authorization (BOLA) vulnerability in the Content Management feature that allows users with the "Visitor" rol...