Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/40447?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/40447?format=api", "purl": "pkg:npm/studiocms@0.4.0", "type": "npm", "namespace": "", "name": "studiocms", "version": "0.4.0", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "0.4.4", "latest_non_vulnerable_version": "0.4.4", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/77203?format=api", "vulnerability_id": "VCID-4b22-3bcp-x3a8", "summary": "StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.3, the updateUserNotifications endpoint accepts a user ID from the request payload and uses it to update that user's notification preferences. It checks that the caller is logged in but never verifies that the caller owns the target account (id !== userData.user.id). Any authenticated visitor can modify notification preferences for any user, including disabling admin notifications to suppress detection of malicious activity. This vulnerability is fixed in 0.4.3.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-32104", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00019", "scoring_system": "epss", "scoring_elements": "0.05232", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00019", "scoring_system": "epss", "scoring_elements": "0.05219", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-32104" }, { "reference_url": "https://github.com/withstudiocms/studiocms", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/withstudiocms/studiocms" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32104", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32104" }, { "reference_url": "https://github.com/advisories/GHSA-9v82-xrm4-mp52", "reference_id": "GHSA-9v82-xrm4-mp52", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-9v82-xrm4-mp52" }, { "reference_url": "https://github.com/withstudiocms/studiocms/security/advisories/GHSA-9v82-xrm4-mp52", "reference_id": "GHSA-9v82-xrm4-mp52", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-12T19:47:56Z/" } ], "url": "https://github.com/withstudiocms/studiocms/security/advisories/GHSA-9v82-xrm4-mp52" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/374801?format=api", "purl": "pkg:npm/studiocms@0.4.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-kv1r-cpaa-8kd7" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/studiocms@0.4.3" } ], "aliases": [ "CVE-2026-32104", "GHSA-9v82-xrm4-mp52" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-4b22-3bcp-x3a8" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/76949?format=api", "vulnerability_id": "VCID-cts7-7e7u-mfa6", "summary": "StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.3, the POST /studiocms_api/dashboard/create-reset-link endpoint allows any authenticated user with admin privileges to generate a password reset token for any other user, including the owner account. The handler verifies that the caller is an admin but does not enforce role hierarchy, nor does it validate that the target userId matches the caller's identity. Combined with the POST /studiocms_api/dashboard/reset-password endpoint, this allows a complete account takeover of the highest-privileged account in the system. This vulnerability is fixed in 0.4.3.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-32103", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00019", "scoring_system": "epss", "scoring_elements": "0.05544", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00019", "scoring_system": "epss", "scoring_elements": "0.05519", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-32103" }, { "reference_url": "https://github.com/withstudiocms/studiocms", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/withstudiocms/studiocms" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32103", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32103" }, { "reference_url": "https://github.com/advisories/GHSA-h7vr-cg25-jf8c", "reference_id": "GHSA-h7vr-cg25-jf8c", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-h7vr-cg25-jf8c" }, { "reference_url": "https://github.com/withstudiocms/studiocms/security/advisories/GHSA-h7vr-cg25-jf8c", "reference_id": "GHSA-h7vr-cg25-jf8c", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-12T19:48:49Z/" } ], "url": "https://github.com/withstudiocms/studiocms/security/advisories/GHSA-h7vr-cg25-jf8c" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/374801?format=api", "purl": "pkg:npm/studiocms@0.4.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-kv1r-cpaa-8kd7" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/studiocms@0.4.3" } ], "aliases": [ "CVE-2026-32103", "GHSA-h7vr-cg25-jf8c" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-cts7-7e7u-mfa6" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/77097?format=api", "vulnerability_id": "VCID-hz9y-unzu-sqcp", "summary": "StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.3, the REST API createUser endpoint uses string-based rank checks that only block creating owner accounts, while the Dashboard API uses indexOf-based rank comparison that prevents creating users at or above your own rank. This inconsistency allows an admin to create additional admin accounts via the REST API, enabling privilege proliferation and persistence. This vulnerability is fixed in 0.4.3.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-32106", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00025", "scoring_system": "epss", "scoring_elements": "0.07413", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00025", "scoring_system": "epss", "scoring_elements": "0.07373", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-32106" }, { "reference_url": "https://github.com/withstudiocms/studiocms", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/withstudiocms/studiocms" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32106", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32106" }, { "reference_url": "https://github.com/advisories/GHSA-wj56-g96r-673q", "reference_id": "GHSA-wj56-g96r-673q", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-wj56-g96r-673q" }, { "reference_url": "https://github.com/withstudiocms/studiocms/security/advisories/GHSA-wj56-g96r-673q", "reference_id": "GHSA-wj56-g96r-673q", "reference_type": "", "scores": [ { "value": "4.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-12T19:48:27Z/" } ], "url": "https://github.com/withstudiocms/studiocms/security/advisories/GHSA-wj56-g96r-673q" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/374801?format=api", "purl": "pkg:npm/studiocms@0.4.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-kv1r-cpaa-8kd7" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/studiocms@0.4.3" } ], "aliases": [ "CVE-2026-32106", "GHSA-wj56-g96r-673q" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-hz9y-unzu-sqcp" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/77281?format=api", "vulnerability_id": "VCID-kv1r-cpaa-8kd7", "summary": "StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.4, the REST API `getUsers` endpoint in StudioCMS uses the attacker-controlled `rank` query parameter to decide whether owner accounts should be filtered from the result set. As a result, an admin token can request `rank=owner` and receive owner account records, including IDs, usernames, display names, and email addresses, even though the adjacent `getUser` endpoint correctly blocks admins from viewing owner users. This is an authorization inconsistency inside the same user-management surface. Version 0.4.4 fixes the issue.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-32638", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00026", "scoring_system": "epss", "scoring_elements": "0.07678", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00026", "scoring_system": "epss", "scoring_elements": "0.07714", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-32638" }, { "reference_url": "https://github.com/withstudiocms/studiocms", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/withstudiocms/studiocms" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32638", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32638" }, { "reference_url": "https://github.com/withstudiocms/studiocms/commit/aebe8bcb3618bb07c6753e3f5c982c1fe6adea64", "reference_id": "aebe8bcb3618bb07c6753e3f5c982c1fe6adea64", "reference_type": "", "scores": [ { "value": "2.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-19T15:00:04Z/" } ], "url": "https://github.com/withstudiocms/studiocms/commit/aebe8bcb3618bb07c6753e3f5c982c1fe6adea64" }, { "reference_url": "https://github.com/advisories/GHSA-xvf4-ch4q-2m24", "reference_id": "GHSA-xvf4-ch4q-2m24", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-xvf4-ch4q-2m24" }, { "reference_url": "https://github.com/withstudiocms/studiocms/security/advisories/GHSA-xvf4-ch4q-2m24", "reference_id": "GHSA-xvf4-ch4q-2m24", "reference_type": "", "scores": [ { "value": "2.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-19T15:00:04Z/" } ], "url": "https://github.com/withstudiocms/studiocms/security/advisories/GHSA-xvf4-ch4q-2m24" }, { "reference_url": "https://github.com/withstudiocms/studiocms/releases/tag/studiocms@0.4.4", "reference_id": "studiocms@0.4.4", "reference_type": "", "scores": [ { "value": "2.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-19T15:00:04Z/" } ], "url": "https://github.com/withstudiocms/studiocms/releases/tag/studiocms@0.4.4" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/374981?format=api", "purl": "pkg:npm/studiocms@0.4.4", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/studiocms@0.4.4" } ], "aliases": [ "CVE-2026-32638", "GHSA-xvf4-ch4q-2m24" ], "risk_score": 1.4, "exploitability": "0.5", "weighted_severity": "2.7", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-kv1r-cpaa-8kd7" } ], "fixing_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/66447?format=api", "vulnerability_id": "VCID-cepr-tf1s-43ds", "summary": "StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.0, the DELETE /studiocms_api/dashboard/api-tokens endpoint allows any authenticated user with editor privileges or above to revoke API tokens belonging to any other user, including admin and owner accounts. The handler accepts tokenID and userID directly from the request payload without verifying token ownership, caller identity, or role hierarchy. This enables targeted denial of service against critical integrations and automations. This vulnerability is fixed in 0.4.0.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-30945", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00054", "scoring_system": "epss", "scoring_elements": "0.17473", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00054", "scoring_system": "epss", "scoring_elements": "0.17309", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-30945" }, { "reference_url": "https://github.com/withstudiocms/studiocms", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/withstudiocms/studiocms" }, { "reference_url": "https://github.com/withstudiocms/studiocms/commit/9eec9c3b45523b635cfe16d55aa55afabacbebe3", "reference_id": "9eec9c3b45523b635cfe16d55aa55afabacbebe3", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-10T19:16:24Z/" } ], "url": "https://github.com/withstudiocms/studiocms/commit/9eec9c3b45523b635cfe16d55aa55afabacbebe3" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30945", "reference_id": "CVE-2026-30945", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30945" }, { "reference_url": "https://github.com/advisories/GHSA-8rgj-vrfr-6hqr", "reference_id": "GHSA-8rgj-vrfr-6hqr", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-8rgj-vrfr-6hqr" }, { "reference_url": "https://github.com/withstudiocms/studiocms/security/advisories/GHSA-8rgj-vrfr-6hqr", "reference_id": "GHSA-8rgj-vrfr-6hqr", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-10T19:16:24Z/" } ], "url": "https://github.com/withstudiocms/studiocms/security/advisories/GHSA-8rgj-vrfr-6hqr" }, { "reference_url": "https://github.com/withstudiocms/studiocms/releases/tag/studiocms@0.4.0", "reference_id": "studiocms@0.4.0", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-10T19:16:24Z/" } ], "url": "https://github.com/withstudiocms/studiocms/releases/tag/studiocms@0.4.0" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/40447?format=api", "purl": "pkg:npm/studiocms@0.4.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4b22-3bcp-x3a8" }, { "vulnerability": "VCID-cts7-7e7u-mfa6" }, { "vulnerability": "VCID-hz9y-unzu-sqcp" }, { "vulnerability": "VCID-kv1r-cpaa-8kd7" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/studiocms@0.4.0" } ], "aliases": [ "CVE-2026-30945", "GHSA-8rgj-vrfr-6hqr" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-cepr-tf1s-43ds" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/66437?format=api", "vulnerability_id": "VCID-fj6p-46u9-w7gf", "summary": "StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.0, the /studiocms_api/dashboard/api-tokens endpoint allows any authenticated user (at least Editor) to generate API tokens for any other user, including owner and admin accounts. The endpoint fails to validate whether the requesting user is authorized to create tokens on behalf of the target user ID, resulting in a full privilege escalation. This vulnerability is fixed in 0.4.0.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-30944", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00058", "scoring_system": "epss", "scoring_elements": "0.18693", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00058", "scoring_system": "epss", "scoring_elements": "0.1853", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-30944" }, { "reference_url": "https://github.com/withstudiocms/studiocms", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/withstudiocms/studiocms" }, { "reference_url": "https://github.com/withstudiocms/studiocms/releases/tag/studiocms%400.4.0", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/withstudiocms/studiocms/releases/tag/studiocms%400.4.0" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30944", "reference_id": "CVE-2026-30944", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30944" }, { "reference_url": "https://github.com/withstudiocms/studiocms/commit/f4a209fc090c90195e2419fff47b48a46eab7441", "reference_id": "f4a209fc090c90195e2419fff47b48a46eab7441", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-10T17:33:50Z/" } ], "url": "https://github.com/withstudiocms/studiocms/commit/f4a209fc090c90195e2419fff47b48a46eab7441" }, { "reference_url": "https://github.com/advisories/GHSA-667w-mmh7-mrr4", "reference_id": "GHSA-667w-mmh7-mrr4", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-667w-mmh7-mrr4" }, { "reference_url": "https://github.com/withstudiocms/studiocms/security/advisories/GHSA-667w-mmh7-mrr4", "reference_id": "GHSA-667w-mmh7-mrr4", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-10T17:33:50Z/" } ], "url": "https://github.com/withstudiocms/studiocms/security/advisories/GHSA-667w-mmh7-mrr4" }, { "reference_url": "https://github.com/withstudiocms/studiocms/releases/tag/studiocms@0.4.0", "reference_id": "studiocms@0.4.0", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-10T17:33:50Z/" } ], "url": "https://github.com/withstudiocms/studiocms/releases/tag/studiocms@0.4.0" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/40447?format=api", "purl": "pkg:npm/studiocms@0.4.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4b22-3bcp-x3a8" }, { "vulnerability": "VCID-cts7-7e7u-mfa6" }, { "vulnerability": "VCID-hz9y-unzu-sqcp" }, { "vulnerability": "VCID-kv1r-cpaa-8kd7" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/studiocms@0.4.0" } ], "aliases": [ "CVE-2026-30944", "GHSA-667w-mmh7-mrr4" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-fj6p-46u9-w7gf" } ], "risk_score": "3.1", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/studiocms@0.4.0" }