Exploitation Summary
EIP tracks 2 public exploits for CVE-2026-30945. PoCs published by XiaomingX, FilipeGaudard.
AI-analyzed exploit summary This repository contains a functional Python exploit for CVE-2026-30945, an IDOR vulnerability in StudioCMS ≤ 0.3.0 that allows authenticated users with editor privileges to revoke API tokens of other users, leading to denial of service. The PoC includes both manual and automated testing modes, with detailed documentation and examples.
Description
StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.0, the DELETE /studiocms_api/dashboard/api-tokens endpoint allows any authenticated user with editor privileges or above to revoke API tokens belonging to any other user, including admin and owner accounts. The handler accepts tokenID and userID directly from the request payload without verifying token ownership, caller identity, or role hierarchy. This enables targeted denial of service against critical integrations and automations. This vulnerability is fixed in 0.4.0.
Exploits (2)
This repository contains a functional Python exploit for CVE-2026-30945, an IDOR vulnerability in StudioCMS ≤ 0.3.0 that allows authenticated users with editor privileges to revoke API tokens of other users, leading to denial of service. The PoC includes both manual and automated testing modes, with detailed documentation and examples.
This repository contains a functional Python exploit for CVE-2026-30945, an IDOR vulnerability in StudioCMS ≤ 0.3.0 that allows authenticated users with editor privileges to revoke API tokens of other users, leading to denial of service. The PoC includes both manual and automated testing modes, demonstrating the vulnerability's impact.
References (3)
Scores
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H