VulnerableCode Package Details - pkg:npm/studiocms@0.4.3

Search for packages

Vulnerability	Summary	Fixed by
VCID-kv1r-cpaa-8kd7 Aliases: CVE-2026-32638 GHSA-xvf4-ch4q-2m24	StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.4, the REST API `getUsers` endpoint in StudioCMS uses the attacker-controlled `rank` query parameter to decide whether owner accounts should be filtered from the result set. As a result, an admin token can request `rank=owner` and receive owner account records, including IDs, usernames, display names, and email addresses, even though the adjacent `getUser` endpoint correctly blocks admins from viewing owner users. This is an authorization inconsistency inside the same user-management surface. Version 0.4.4 fixes the issue.	0.4.4 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-kv1r-cpaa-8kd7
Aliases:
CVE-2026-32638
GHSA-xvf4-ch4q-2m24

StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.4, the REST API `getUsers` endpoint in StudioCMS uses the attacker-controlled `rank` query parameter to decide whether owner accounts should be filtered from the result set. As a result, an admin token can request `rank=owner` and receive owner account records, including IDs, usernames, display names, and email addresses, even though the adjacent `getUser` endpoint correctly blocks admins from viewing owner users. This is an authorization inconsistency inside the same user-management surface. Version 0.4.4 fixes the issue.

0.4.4
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-4b22-3bcp-x3a8	StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.3, the updateUserNotifications endpoint accepts a user ID from the request payload and uses it to update that user's notification preferences. It checks that the caller is logged in but never verifies that the caller owns the target account (id !== userData.user.id). Any authenticated visitor can modify notification preferences for any user, including disabling admin notifications to suppress detection of malicious activity. This vulnerability is fixed in 0.4.3.	CVE-2026-32104 GHSA-9v82-xrm4-mp52
VCID-cts7-7e7u-mfa6	StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.3, the POST /studiocms_api/dashboard/create-reset-link endpoint allows any authenticated user with admin privileges to generate a password reset token for any other user, including the owner account. The handler verifies that the caller is an admin but does not enforce role hierarchy, nor does it validate that the target userId matches the caller's identity. Combined with the POST /studiocms_api/dashboard/reset-password endpoint, this allows a complete account takeover of the highest-privileged account in the system. This vulnerability is fixed in 0.4.3.	CVE-2026-32103 GHSA-h7vr-cg25-jf8c
VCID-hz9y-unzu-sqcp	StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.3, the REST API createUser endpoint uses string-based rank checks that only block creating owner accounts, while the Dashboard API uses indexOf-based rank comparison that prevents creating users at or above your own rank. This inconsistency allows an admin to create additional admin accounts via the REST API, enabling privilege proliferation and persistence. This vulnerability is fixed in 0.4.3.	CVE-2026-32106 GHSA-wj56-g96r-673q

Vulnerability

Summary

Aliases

VCID-4b22-3bcp-x3a8

StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.3, the updateUserNotifications endpoint accepts a user ID from the request payload and uses it to update that user's notification preferences. It checks that the caller is logged in but never verifies that the caller owns the target account (id !== userData.user.id). Any authenticated visitor can modify notification preferences for any user, including disabling admin notifications to suppress detection of malicious activity. This vulnerability is fixed in 0.4.3.

CVE-2026-32104
GHSA-9v82-xrm4-mp52

VCID-cts7-7e7u-mfa6

StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.3, the POST /studiocms_api/dashboard/create-reset-link endpoint allows any authenticated user with admin privileges to generate a password reset token for any other user, including the owner account. The handler verifies that the caller is an admin but does not enforce role hierarchy, nor does it validate that the target userId matches the caller's identity. Combined with the POST /studiocms_api/dashboard/reset-password endpoint, this allows a complete account takeover of the highest-privileged account in the system. This vulnerability is fixed in 0.4.3.

CVE-2026-32103
GHSA-h7vr-cg25-jf8c

VCID-hz9y-unzu-sqcp

StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.3, the REST API createUser endpoint uses string-based rank checks that only block creating owner accounts, while the Dashboard API uses indexOf-based rank comparison that prevents creating users at or above your own rank. This inconsistency allows an admin to create additional admin accounts via the REST API, enabling privilege proliferation and persistence. This vulnerability is fixed in 0.4.3.

CVE-2026-32106
GHSA-wj56-g96r-673q

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-13T06:28:00.984594+00:00	GHSA Importer	Affected by	VCID-kv1r-cpaa-8kd7	https://github.com/advisories/GHSA-xvf4-ch4q-2m24	38.6.0
2026-06-13T06:27:54.938738+00:00	GHSA Importer	Fixing	VCID-hz9y-unzu-sqcp	https://github.com/advisories/GHSA-wj56-g96r-673q	38.6.0
2026-06-13T06:27:54.908525+00:00	GHSA Importer	Fixing	VCID-4b22-3bcp-x3a8	https://github.com/advisories/GHSA-9v82-xrm4-mp52	38.6.0
2026-06-13T06:27:54.877607+00:00	GHSA Importer	Fixing	VCID-cts7-7e7u-mfa6	https://github.com/advisories/GHSA-h7vr-cg25-jf8c	38.6.0
2026-06-12T21:30:05.267189+00:00	GitLab Importer	Affected by	VCID-kv1r-cpaa-8kd7	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/studiocms/CVE-2026-32638.yml	38.6.0
2026-06-12T21:27:59.150214+00:00	GitLab Importer	Fixing	VCID-hz9y-unzu-sqcp	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/studiocms/CVE-2026-32106.yml	38.6.0
2026-06-12T21:27:39.802084+00:00	GitLab Importer	Fixing	VCID-4b22-3bcp-x3a8	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/studiocms/CVE-2026-32104.yml	38.6.0
2026-06-12T21:27:03.320992+00:00	GitLab Importer	Fixing	VCID-cts7-7e7u-mfa6	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/studiocms/CVE-2026-32103.yml	38.6.0
2026-06-12T07:49:38.817954+00:00	GithubOSV Importer	Fixing	VCID-hz9y-unzu-sqcp	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-wj56-g96r-673q/GHSA-wj56-g96r-673q.json	38.6.0
2026-06-12T07:49:30.660997+00:00	GithubOSV Importer	Fixing	VCID-4b22-3bcp-x3a8	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-9v82-xrm4-mp52/GHSA-9v82-xrm4-mp52.json	38.6.0
2026-06-12T07:49:10.650181+00:00	GithubOSV Importer	Fixing	VCID-cts7-7e7u-mfa6	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-h7vr-cg25-jf8c/GHSA-h7vr-cg25-jf8c.json	38.6.0