Search for packages
| purl | pkg:npm/studiocms@0.4.1 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-4b22-3bcp-x3a8
Aliases: CVE-2026-32104 GHSA-9v82-xrm4-mp52 |
StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.3, the updateUserNotifications endpoint accepts a user ID from the request payload and uses it to update that user's notification preferences. It checks that the caller is logged in but never verifies that the caller owns the target account (id !== userData.user.id). Any authenticated visitor can modify notification preferences for any user, including disabling admin notifications to suppress detection of malicious activity. This vulnerability is fixed in 0.4.3. |
Affected by 1 other vulnerability. |
|
VCID-cts7-7e7u-mfa6
Aliases: CVE-2026-32103 GHSA-h7vr-cg25-jf8c |
StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.3, the POST /studiocms_api/dashboard/create-reset-link endpoint allows any authenticated user with admin privileges to generate a password reset token for any other user, including the owner account. The handler verifies that the caller is an admin but does not enforce role hierarchy, nor does it validate that the target userId matches the caller's identity. Combined with the POST /studiocms_api/dashboard/reset-password endpoint, this allows a complete account takeover of the highest-privileged account in the system. This vulnerability is fixed in 0.4.3. |
Affected by 1 other vulnerability. |
|
VCID-hz9y-unzu-sqcp
Aliases: CVE-2026-32106 GHSA-wj56-g96r-673q |
StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.3, the REST API createUser endpoint uses string-based rank checks that only block creating owner accounts, while the Dashboard API uses indexOf-based rank comparison that prevents creating users at or above your own rank. This inconsistency allows an admin to create additional admin accounts via the REST API, enabling privilege proliferation and persistence. This vulnerability is fixed in 0.4.3. |
Affected by 1 other vulnerability. |
|
VCID-kv1r-cpaa-8kd7
Aliases: CVE-2026-32638 GHSA-xvf4-ch4q-2m24 |
StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.4, the REST API `getUsers` endpoint in StudioCMS uses the attacker-controlled `rank` query parameter to decide whether owner accounts should be filtered from the result set. As a result, an admin token can request `rank=owner` and receive owner account records, including IDs, usernames, display names, and email addresses, even though the adjacent `getUser` endpoint correctly blocks admins from viewing owner users. This is an authorization inconsistency inside the same user-management surface. Version 0.4.4 fixes the issue. |
Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2026-06-12T21:30:05.259573+00:00 | GitLab Importer | Affected by | VCID-kv1r-cpaa-8kd7 | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/studiocms/CVE-2026-32638.yml | 38.6.0 |
| 2026-06-12T21:27:59.142870+00:00 | GitLab Importer | Affected by | VCID-hz9y-unzu-sqcp | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/studiocms/CVE-2026-32106.yml | 38.6.0 |
| 2026-06-12T21:27:39.794062+00:00 | GitLab Importer | Affected by | VCID-4b22-3bcp-x3a8 | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/studiocms/CVE-2026-32104.yml | 38.6.0 |
| 2026-06-12T21:27:03.312432+00:00 | GitLab Importer | Affected by | VCID-cts7-7e7u-mfa6 | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/studiocms/CVE-2026-32103.yml | 38.6.0 |