VulnerableCode Package Details - pkg:npm/studiocms@0.4.0

Search for packages

Vulnerability	Summary	Fixed by
VCID-4b22-3bcp-x3a8 Aliases: CVE-2026-32104 GHSA-9v82-xrm4-mp52	StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.3, the updateUserNotifications endpoint accepts a user ID from the request payload and uses it to update that user's notification preferences. It checks that the caller is logged in but never verifies that the caller owns the target account (id !== userData.user.id). Any authenticated visitor can modify notification preferences for any user, including disabling admin notifications to suppress detection of malicious activity. This vulnerability is fixed in 0.4.3.	0.4.3 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-cts7-7e7u-mfa6 Aliases: CVE-2026-32103 GHSA-h7vr-cg25-jf8c	StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.3, the POST /studiocms_api/dashboard/create-reset-link endpoint allows any authenticated user with admin privileges to generate a password reset token for any other user, including the owner account. The handler verifies that the caller is an admin but does not enforce role hierarchy, nor does it validate that the target userId matches the caller's identity. Combined with the POST /studiocms_api/dashboard/reset-password endpoint, this allows a complete account takeover of the highest-privileged account in the system. This vulnerability is fixed in 0.4.3.	0.4.3 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-hz9y-unzu-sqcp Aliases: CVE-2026-32106 GHSA-wj56-g96r-673q	StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.3, the REST API createUser endpoint uses string-based rank checks that only block creating owner accounts, while the Dashboard API uses indexOf-based rank comparison that prevents creating users at or above your own rank. This inconsistency allows an admin to create additional admin accounts via the REST API, enabling privilege proliferation and persistence. This vulnerability is fixed in 0.4.3.	0.4.3 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-kv1r-cpaa-8kd7 Aliases: CVE-2026-32638 GHSA-xvf4-ch4q-2m24	StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.4, the REST API `getUsers` endpoint in StudioCMS uses the attacker-controlled `rank` query parameter to decide whether owner accounts should be filtered from the result set. As a result, an admin token can request `rank=owner` and receive owner account records, including IDs, usernames, display names, and email addresses, even though the adjacent `getUser` endpoint correctly blocks admins from viewing owner users. This is an authorization inconsistency inside the same user-management surface. Version 0.4.4 fixes the issue.	0.4.4 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-4b22-3bcp-x3a8
Aliases:
CVE-2026-32104
GHSA-9v82-xrm4-mp52

StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.3, the updateUserNotifications endpoint accepts a user ID from the request payload and uses it to update that user's notification preferences. It checks that the caller is logged in but never verifies that the caller owns the target account (id !== userData.user.id). Any authenticated visitor can modify notification preferences for any user, including disabling admin notifications to suppress detection of malicious activity. This vulnerability is fixed in 0.4.3.

0.4.3
Affected by 1 other vulnerability.

VCID-cts7-7e7u-mfa6
Aliases:
CVE-2026-32103
GHSA-h7vr-cg25-jf8c

StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.3, the POST /studiocms_api/dashboard/create-reset-link endpoint allows any authenticated user with admin privileges to generate a password reset token for any other user, including the owner account. The handler verifies that the caller is an admin but does not enforce role hierarchy, nor does it validate that the target userId matches the caller's identity. Combined with the POST /studiocms_api/dashboard/reset-password endpoint, this allows a complete account takeover of the highest-privileged account in the system. This vulnerability is fixed in 0.4.3.

0.4.3
Affected by 1 other vulnerability.

VCID-hz9y-unzu-sqcp
Aliases:
CVE-2026-32106
GHSA-wj56-g96r-673q

StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.3, the REST API createUser endpoint uses string-based rank checks that only block creating owner accounts, while the Dashboard API uses indexOf-based rank comparison that prevents creating users at or above your own rank. This inconsistency allows an admin to create additional admin accounts via the REST API, enabling privilege proliferation and persistence. This vulnerability is fixed in 0.4.3.

0.4.3
Affected by 1 other vulnerability.

VCID-kv1r-cpaa-8kd7
Aliases:
CVE-2026-32638
GHSA-xvf4-ch4q-2m24

StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.4, the REST API `getUsers` endpoint in StudioCMS uses the attacker-controlled `rank` query parameter to decide whether owner accounts should be filtered from the result set. As a result, an admin token can request `rank=owner` and receive owner account records, including IDs, usernames, display names, and email addresses, even though the adjacent `getUser` endpoint correctly blocks admins from viewing owner users. This is an authorization inconsistency inside the same user-management surface. Version 0.4.4 fixes the issue.

0.4.4
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-cepr-tf1s-43ds	StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.0, the DELETE /studiocms_api/dashboard/api-tokens endpoint allows any authenticated user with editor privileges or above to revoke API tokens belonging to any other user, including admin and owner accounts. The handler accepts tokenID and userID directly from the request payload without verifying token ownership, caller identity, or role hierarchy. This enables targeted denial of service against critical integrations and automations. This vulnerability is fixed in 0.4.0.	CVE-2026-30945 GHSA-8rgj-vrfr-6hqr
VCID-fj6p-46u9-w7gf	StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.0, the /studiocms_api/dashboard/api-tokens endpoint allows any authenticated user (at least Editor) to generate API tokens for any other user, including owner and admin accounts. The endpoint fails to validate whether the requesting user is authorized to create tokens on behalf of the target user ID, resulting in a full privilege escalation. This vulnerability is fixed in 0.4.0.	CVE-2026-30944 GHSA-667w-mmh7-mrr4

Vulnerability

Summary

Aliases

VCID-cepr-tf1s-43ds

StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.0, the DELETE /studiocms_api/dashboard/api-tokens endpoint allows any authenticated user with editor privileges or above to revoke API tokens belonging to any other user, including admin and owner accounts. The handler accepts tokenID and userID directly from the request payload without verifying token ownership, caller identity, or role hierarchy. This enables targeted denial of service against critical integrations and automations. This vulnerability is fixed in 0.4.0.

CVE-2026-30945
GHSA-8rgj-vrfr-6hqr

VCID-fj6p-46u9-w7gf

StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.0, the /studiocms_api/dashboard/api-tokens endpoint allows any authenticated user (at least Editor) to generate API tokens for any other user, including owner and admin accounts. The endpoint fails to validate whether the requesting user is authorized to create tokens on behalf of the target user ID, resulting in a full privilege escalation. This vulnerability is fixed in 0.4.0.

CVE-2026-30944
GHSA-667w-mmh7-mrr4

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-12T21:30:05.255769+00:00	GitLab Importer	Affected by	VCID-kv1r-cpaa-8kd7	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/studiocms/CVE-2026-32638.yml	38.6.0
2026-06-12T21:27:59.138950+00:00	GitLab Importer	Affected by	VCID-hz9y-unzu-sqcp	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/studiocms/CVE-2026-32106.yml	38.6.0
2026-06-12T21:27:39.789815+00:00	GitLab Importer	Affected by	VCID-4b22-3bcp-x3a8	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/studiocms/CVE-2026-32104.yml	38.6.0
2026-06-12T21:27:03.307411+00:00	GitLab Importer	Affected by	VCID-cts7-7e7u-mfa6	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/studiocms/CVE-2026-32103.yml	38.6.0
2026-06-12T15:51:14.698627+00:00	GitLab Importer	Fixing	VCID-cepr-tf1s-43ds	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/studiocms/CVE-2026-30945.yml	38.6.0
2026-06-12T15:51:13.041550+00:00	GitLab Importer	Fixing	VCID-fj6p-46u9-w7gf	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/studiocms/CVE-2026-30944.yml	38.6.0
2026-06-12T07:49:37.368078+00:00	GithubOSV Importer	Fixing	VCID-fj6p-46u9-w7gf	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-667w-mmh7-mrr4/GHSA-667w-mmh7-mrr4.json	38.6.0
2026-06-12T07:49:37.260298+00:00	GithubOSV Importer	Fixing	VCID-cepr-tf1s-43ds	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-8rgj-vrfr-6hqr/GHSA-8rgj-vrfr-6hqr.json	38.6.0
2026-06-11T20:38:35.497969+00:00	GHSA Importer	Fixing	VCID-cepr-tf1s-43ds	https://github.com/advisories/GHSA-8rgj-vrfr-6hqr	38.6.0
2026-06-11T20:38:32.628966+00:00	GHSA Importer	Fixing	VCID-fj6p-46u9-w7gf	https://github.com/advisories/GHSA-667w-mmh7-mrr4	38.6.0