Lucene search
K

91 matches found

CNNVD
CNNVD
added 2026/03/11 12:0 a.m.9 views

StudioCMS 授权问题漏洞

StudioCMS is StudioCMS open source a content management system . StudioCMS suffers from an authorization issue vulnerability that stems from improper access control in the password reset token generation endpoint, which can be exploited by an attacker to cause an administrator to take over a...

7.2CVSS5.8AI score0.00344EPSS
Exploits1References1
CNNVD
CNNVD
added 2026/03/11 12:0 a.m.8 views

StudioCMS 安全漏洞

StudioCMS is StudioCMS open source a content management system . A security vulnerability exists in StudioCMS that can be exploited by an attacker to cause an authenticated user to perform arbitrary file operations on S3 storage buckets...

7.6CVSS5.9AI score0.00183EPSS
Exploits1References1
CNNVD
CNNVD
added 2026/03/11 12:0 a.m.11 views

StudioCMS 安全漏洞

StudioCMS is StudioCMS open source a content management system . A security vulnerability exists in StudioCMS that can be exploited by an attacker to cause any authenticated user to modify the notification preferences of other users...

5.4CVSS5.8AI score0.00253EPSS
Exploits1References1
CNNVD
CNNVD
added 2026/03/11 12:0 a.m.9 views

StudioCMS 安全漏洞

StudioCMS is StudioCMS open source a content management system . StudioCMS has a security vulnerability that can be exploited by an attacker to cause an administrator to create additional administrator accounts via the REST API...

7.2CVSS5.8AI score0.003EPSS
Exploits1References1
Positive Technologies
Positive Technologies
added 2026/03/11 12:0 a.m.6 views

PT-2026-24822

Summary The REST API createUser endpoint uses string-based rank checks that only block creating owner accounts, while the Dashboard API uses indexOf-based rank comparison that prevents creating users at or above your own rank. This inconsistency allows an admin to create additional admin accounts...

4.7CVSS5.8AI score0.003EPSS
Exploits1References6
Positive Technologies
Positive Technologies
added 2026/03/11 12:0 a.m.5 views

PT-2026-24818

StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.3.1, the S3 storage manager's isAuthorized function is declared async returns Promise but is called without await in both the POST and PUT handlers. Since a Promise object is always truthy in...

7.6CVSS5.8AI score0.00183EPSS
Exploits1References4
Snyk
Snyk
added 2026/03/10 6:16 p.m.4 views

Incorrect Authorization

Overview studiocms is an A Community-Driven Astro native CMS. Built from the ground up by the Astro community. Affected versions of this package are vulnerable to Incorrect Authorization through the api-tokens endpoint, which allows an authenticated user with editor privileges or higher to genera...

8.8CVSS5.8AI score0.00564EPSS
Exploits3References3
EUVD
EUVD
added 2026/03/10 6:16 p.m.4 views

EUVD-2026-10555

StudioCMS has Privilege Escalation via Insecure API Token Generation...

8.8CVSS5.8AI score0.00564EPSS
Exploits3References6
vulnersOsv
vulnersOsv
added 2026/03/10 6:16 p.m.5 views

@studiocms/migrator (>=0.2.0 <=0.2.1) potentially affected by CVE-2026-30944 via studiocms (>=0.2.0 <=0.3.0)

studiocms NPM version =0.2.0, =0.2.0, =0.2.1 Source cves: CVE-2026-30944 Source advisory: SNYK:JS-STUDIOCMS-15518582...

8.8CVSS5.8AI score0.00564EPSS
Exploits3
vulnersOsv
vulnersOsv
added 2026/03/10 6:16 p.m.6 views

studiocms (>=0.1.0 <=0.1.0-beta.31) potentially affected by CVE-2026-30944 via @withstudiocms/auth-kit (>=0.1.0-beta.1 <=0.1.0)

@withstudiocms/auth-kit NPM version =0.1.0-beta.1, =0.1.0, =0.1.0-beta.31 Source cves: CVE-2026-30944 Source advisory: SNYK:JS-WITHSTUDIOCMSAUTHKIT-15518581...

8.8CVSS5.8AI score0.00564EPSS
Exploits3
EUVD
EUVD
added 2026/03/10 6:16 p.m.6 views

EUVD-2026-10556

StudioCMS has Privilege Escalation via Insecure API Token Generation...

8.8CVSS5.8AI score0.00564EPSS
Exploits3References6
OSV
OSV
added 2026/03/10 6:16 p.m.0 views

GHSA-667W-MMH7-MRR4 StudioCMS has Privilege Escalation via Insecure API Token Generation

Summary The /studiocmsapi/dashboard/api-tokens endpoint allows any authenticated user at least Editor to generate API tokens for any other user, including owner and admin accounts. The endpoint fails to validate whether the requesting user is authorized to create tokens on behalf of the target us...

8.8CVSS5.9AI score0.00564EPSS
Exploits3References7
Cvelist
Cvelist
added 2026/03/10 4:52 p.m.30 views

CVE-2026-30945 StudioCMS: IDOR — Arbitrary API Token Revocation Leading to Denial of Service

StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.0, the DELETE /studiocmsapi/dashboard/api-tokens endpoint allows any authenticated user with editor privileges or above to revoke API tokens belonging to any other user, including admin and owner...

7.1CVSS0.00452EPSS
Exploits2References3
OSV
OSV
added 2026/03/10 4:52 p.m.8 views

CVE-2026-30945 StudioCMS: IDOR — Arbitrary API Token Revocation Leading to Denial of Service

StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.0, the DELETE /studiocmsapi/dashboard/api-tokens endpoint allows any authenticated user with editor privileges or above to revoke API tokens belonging to any other user, including admin and owner...

7.1CVSS5.8AI score0.00452EPSS
Exploits2References5
ATTACKERKB
ATTACKERKB
added 2026/03/10 4:52 p.m.4 views

CVE-2026-30945

StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.0, the DELETE /studiocmsapi/dashboard/api-tokens endpoint allows any authenticated user with editor privileges or above to revoke API tokens belonging to any other user, including admin and owner...

7.1CVSS5.8AI score0.00452EPSS
Exploits2References4Affected Software1
CVE
CVE
added 2026/03/10 4:52 p.m.27 views

CVE-2026-30945

CVE-2026-30945 : StudioCMS prior to 0.4.0 exposes an authorization flaw in DELETE /studiocms_api/dashboard/api-tokens. Any authenticated user with editor privileges or above can revoke API tokens for any user (including admin/owner) because tokenID and userID are taken directly from the request w...

7.1CVSS5.8AI score0.00452EPSS
Exploits2References3Affected Software1
Cvelist
Cvelist
added 2026/03/10 4:48 p.m.31 views

CVE-2026-30944 StudioCMS Affected by Privilege Escalation via Insecure API Token Generation

StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.0, the /studiocmsapi/dashboard/api-tokens endpoint allows any authenticated user at least Editor to generate API tokens for any other user, including owner and admin accounts. The endpoint fails to...

8.8CVSS0.00564EPSS
Exploits3References3
ATTACKERKB
ATTACKERKB
added 2026/03/10 4:48 p.m.4 views

CVE-2026-30944

StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.0, the /studiocmsapi/dashboard/api-tokens endpoint allows any authenticated user at least Editor to generate API tokens for any other user, including owner and admin accounts. The endpoint fails to...

8.8CVSS5.8AI score0.00564EPSS
Exploits3References4Affected Software1
OSV
OSV
added 2026/03/10 4:48 p.m.4 views

CVE-2026-30944 StudioCMS Affected by Privilege Escalation via Insecure API Token Generation

StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.0, the /studiocmsapi/dashboard/api-tokens endpoint allows any authenticated user at least Editor to generate API tokens for any other user, including owner and admin accounts. The endpoint fails to...

8.8CVSS5.8AI score0.00564EPSS
Exploits3References5
Positive Technologies
Positive Technologies
added 2026/03/10 12:0 a.m.8 views

PT-2026-24252

StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.0, the /studiocms api/dashboard/api-tokens endpoint allows any authenticated user at least Editor to generate API tokens for any other user, including owner and admin accounts. The endpoint fails t...

8.8CVSS5.8AI score0.00564EPSS
Exploits3References3
Rows per page
Query Builder