{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-19T03:51:01.909","vulnerabilities":[{"cve":{"id":"CVE-2026-32104","sourceIdentifier":"security-advisories@github.com","published":"2026-03-11T21:16:16.457","lastModified":"2026-03-17T15:35:38.860","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.3, the updateUserNotifications endpoint accepts a user ID from the request payload and uses it to update that user's notification preferences. It checks that the caller is logged in but never verifies that the caller owns the target account (id !== userData.user.id). Any authenticated visitor can modify notification preferences for any user, including disabling admin notifications to suppress detection of malicious activity. This vulnerability is fixed in 0.4.3."},{"lang":"es","value":"StudioCMS es un sistema de gestión de contenido sin cabeza, nativo de Astro y renderizado en el lado del servidor. Antes de la versión 0.4.3, el endpoint updateUserNotifications acepta un ID de usuario del payload de la solicitud y lo utiliza para actualizar las preferencias de notificación de ese usuario. Verifica que el llamador ha iniciado sesión, pero nunca verifica que el llamador es propietario de la cuenta objetivo (id !== userData.user.id). Cualquier visitante autenticado puede modificar las preferencias de notificación para cualquier usuario, incluyendo la desactivación de las notificaciones de administrador para suprimir la detección de actividad maliciosa. Esta vulnerabilidad está corregida en la versión 0.4.3."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L","baseScore":5.4,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"LOW"},"exploitabilityScore":2.8,"impactScore":2.5}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-639"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:studiocms:studiocms:*:*:*:*:*:*:*:*","versionEndExcluding":"0.4.3","matchCriteriaId":"BD3D1012-B2EE-465F-8398-96C5B01C1399"}]}]}],"references":[{"url":"https://github.com/withstudiocms/studiocms/security/advisories/GHSA-9v82-xrm4-mp52","source":"security-advisories@github.com","tags":["Exploit","Vendor Advisory"]}]}}]}