CVE-2026-32638

StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.4, the REST API getUsers endpoint in StudioCMS uses the attacker-controlled rank query parameter to decide whether owner accounts should be filtered from the result set. As a result, an admin token...

CVE-2026-32638 StudioCMS REST getUsers Exposes Owner Account Records to Admin Tokens

StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.4, the REST API getUsers endpoint in StudioCMS uses the attacker-controlled rank query parameter to decide whether owner accounts should be filtered from the result set. As a result, an admin token...

CVE-2026-32638

StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.4, the REST API getUsers endpoint in StudioCMS uses the attacker-controlled rank query parameter to decide whether owner accounts should be filtered from the result set. As a result, an admin token...

StudioCMS 安全漏洞

StudioCMS is StudioCMS open source a content management system . StudioCMS suffers from an information disclosure vulnerability that stems from the use of an attacker-controlled rank query parameter in the REST API getUsers endpoint, which can be exploited by an attacker to cause an administrator...

Authorization Bypass Through User-Controlled Key

Overview effectify is an Utility library that bridges Effect-ts with various utilities and projects, such as Astro! Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key in the getUsers process. An attacker can access sensitive owner account...

Authorization Bypass Through User-Controlled Key

Overview @withstudiocms/api-spec is an API Specification for StudioCMS Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key in the getUsers process. An attacker can access sensitive owner account information, such as IDs, usernames, display names, a...

GHSA-XVF4-CH4Q-2M24 StudioCMS REST getUsers Exposes Owner Account Records to Admin Tokens

Summary The REST API getUsers endpoint in StudioCMS uses the attacker-controlled rank query parameter to decide whether owner accounts should be filtered from the result set. As a result, an admin token can request rank=owner and receive owner account records, including IDs, usernames, display...

Authorization Bypass Through User-Controlled Key

Overview @withstudiocms/effect is an Effect-TS Utilities for Astro Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key in the getUsers process. An attacker can access sensitive owner account information, such as IDs, usernames, display names, and...

PT-2026-25850

Summary The REST API getUsers endpoint in StudioCMS uses the attacker-controlled rank query parameter to decide whether owner accounts should be filtered from the result set. As a result, an admin token can request rank=owner and receive owner account records, including IDs, usernames, display...

EUVD-2009-2876

Malware in sbrugna...

EUVD-2023-31445

Malicious code in bioql PyPI...

CVE-2023-27707

SQL injection vulnerability found in DedeCMS v.5.7.106 allows a remote attacker to execute arbitrary code via the rank parameter in the /dede/groupstore.php endpoint...

SourceCodester Class Scheduling System 跨站脚本漏洞

Class Scheduling System is a class scheduling system. A cross-site scripting vulnerability exists in Class Scheduling System v1.0, which originates from the lack of effective filtering and escaping of user-supplied data in the AcademicRank parameter of the file /admin/saveteacher.php in the...

CVE-2023-27709

SQL injection vulnerability found in DedeCMS v.5.7.106 allows a remote attacker to execute arbitrary code via the rank parameter in the /dedestorycatalog.php endpoint...

CVE-2023-27707

SQL injection vulnerability found in DedeCMS v.5.7.106 allows a remote attacker to execute arbitrary code via the rank parameter in the /dede/groupstore.php endpoint...

PT-2023-21303 · Dedecms · Dedecms

Name of the Vulnerable Software and Affected Versions: DedeCMS version 5.7.106 Description: A SQL injection issue allows a remote attacker to execute arbitrary code via the rank parameter in the "/dede/group store.php" endpoint. Recommendations: For DedeCMS version 5.7.106, consider restricting...

Desdev DedeCMS SQL注入漏洞

Desdev DedeCMS Dream Weaving Content Management System is a PHP-based open-source content management system CMS of China Zhuozhuo network Desdev company. The system has the functions of content publishing, content management, content editing and content retrieval. A security vulnerability exists ...

CVE-2023-27709

SQL injection vulnerability found in DedeCMS v.5.7.106 allows a remote attacker to execute arbitrary code via the rank parameter in the /dedestorycatalog.php endpoint...

PT-2023-21304 · Dedecms · Dedecms

Name of the Vulnerable Software and Affected Versions: DedeCMS version 5.7.106 Description: A SQL injection issue allows a remote attacker to execute arbitrary code via the rank parameter in the "/dedestory catalog.php" endpoint. Recommendations: For DedeCMS version 5.7.106, as a temporary...

CVE-2009-2884

Cross-site scripting XSS vulnerability in bios.php in PHP Scripts Now World's Tallest Buildings allows remote attackers to inject arbitrary web script or HTML via the rank parameter...