Lucene search
K

10 matches found

RedhatCVE
RedhatCVE
added 2026/03/26 3:17 p.m.4 views

CVE-2026-32638

StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.4, the REST API getUsers endpoint in StudioCMS uses the attacker-controlled rank query parameter to decide whether owner accounts should be filtered from the result set. As a result, an admin token...

2.7CVSS5.8AI score0.00375EPSS
Exploits1References1
NVD
NVD
added 2026/03/18 9:16 p.m.9 views

CVE-2026-32638

StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.4, the REST API getUsers endpoint in StudioCMS uses the attacker-controlled rank query parameter to decide whether owner accounts should be filtered from the result set. As a result, an admin token...

2.7CVSS0.00375EPSS
Exploits1References3
ATTACKERKB
ATTACKERKB
added 2026/03/18 8:41 p.m.3 views

CVE-2026-32638

StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.4, the REST API getUsers endpoint in StudioCMS uses the attacker-controlled rank query parameter to decide whether owner accounts should be filtered from the result set. As a result, an admin token...

2.7CVSS5.8AI score0.00375EPSS
Exploits1References4Affected Software1
Cvelist
Cvelist
added 2026/03/18 8:41 p.m.18 views

CVE-2026-32638 StudioCMS REST getUsers Exposes Owner Account Records to Admin Tokens

StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.4, the REST API getUsers endpoint in StudioCMS uses the attacker-controlled rank query parameter to decide whether owner accounts should be filtered from the result set. As a result, an admin token...

2.7CVSS0.00375EPSS
Exploits1References3
Vulnrichment
Vulnrichment
added 2026/03/18 8:41 p.m.7 views

CVE-2026-32638 StudioCMS REST getUsers Exposes Owner Account Records to Admin Tokens

StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.4, the REST API getUsers endpoint in StudioCMS uses the attacker-controlled rank query parameter to decide whether owner accounts should be filtered from the result set. As a result, an admin token...

2.7CVSS5.8AI score0.00375EPSS
Exploits1References3
CVE
CVE
added 2026/03/18 8:41 p.m.21 views

CVE-2026-32638

CVE-2026-32638 affects StudioCMS before 0.4.4. The REST API endpoint getUsers can be invoked by an admin token with rank=owner to enumerate owner accounts (id, username, display name, email), bypassing the intended boundary even though getUser blocks admins. Root cause: using an attacker-controll...

2.7CVSS5.8AI score0.00375EPSS
Exploits1References3Affected Software1
OSV
OSV
added 2026/03/18 8:41 p.m.5 views

CVE-2026-32638 StudioCMS REST getUsers Exposes Owner Account Records to Admin Tokens

StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.4, the REST API getUsers endpoint in StudioCMS uses the attacker-controlled rank query parameter to decide whether owner accounts should be filtered from the result set. As a result, an admin token...

2.7CVSS5.8AI score0.00375EPSS
Exploits1References5
Github Security Blog
Github Security Blog
added 2026/03/16 4:37 p.m.8 views

StudioCMS REST getUsers Exposes Owner Account Records to Admin Tokens

Summary The REST API getUsers endpoint in StudioCMS uses the attacker-controlled rank query parameter to decide whether owner accounts should be filtered from the result set. As a result, an admin token can request rank=owner and receive owner account records, including IDs, usernames, display...

2.7CVSS5.9AI score0.00375EPSS
Exploits1References5Affected Software1
OSV
OSV
added 2026/03/16 4:37 p.m.3 views

GHSA-XVF4-CH4Q-2M24 StudioCMS REST getUsers Exposes Owner Account Records to Admin Tokens

Summary The REST API getUsers endpoint in StudioCMS uses the attacker-controlled rank query parameter to decide whether owner accounts should be filtered from the result set. As a result, an admin token can request rank=owner and receive owner account records, including IDs, usernames, display...

2.7CVSS5.9AI score0.00375EPSS
Exploits1References5
Positive Technologies
Positive Technologies
added 2026/03/16 12:0 a.m.11 views

PT-2026-25850

Summary The REST API getUsers endpoint in StudioCMS uses the attacker-controlled rank query parameter to decide whether owner accounts should be filtered from the result set. As a result, an admin token can request rank=owner and receive owner account records, including IDs, usernames, display...

2.7CVSS5.9AI score0.00375EPSS
Exploits1References7
Rows per page
Query Builder