8 matches found
NPM: TinaCMS: Cross-origin postMessage handlers and rich-text URL-sanitization bypass enable stored XSS and session takeover
NPM: TinaCMS: Cross-origin postMessage handlers and rich-text URL-sanitization bypass enable stored XSS and session takeover vulnerability discovered by ? in WordPress Npm tinacms versions 3.9.3...
@backpackjs/cli (>=1.0.0 <=2.0.0-bundle-perf-test.2), @backpackjs/cms (>=0.0.2 <=4.21.0) +50 more potentially affected by CVE-2026-28791 via tinacms (>=0.0.0-a11f739-20260513041310 <=2.1.1)
tinacms NPM version =0.0.0-a11f739-20260513041310, =1.0.0, =0.0.2, =2.2.0-isolate-nextjs.0, =1.0.0, =1.0.0, =0.1.0, =0.1.0, =0.10.0, =0.0.1-beta.1, =0.0.0-20220816134642, =0.0.0-20220903131031, =0.0.4, =0.1.0, =0.0.85, =0.0.89, =0.0.93 and more Source cves: CVE-2026-28791 Source advisory:...
CVE-2026-29066
Tina is a headless content management system. Prior to 2.1.8, the TinaCMS CLI dev server configures Vite with server.fs.strict: false, which disables Vite's built-in filesystem access restriction. This allows any unauthenticated attacker who can reach the dev server to read arbitrary files on the...
CVE-2023-25164
Tinacms is a Git-backed headless content management system with support for visual editing. Sites being built with @tinacms/cli = 1.0.0 && 1.0.9 which store sensitive values in the process.env variable are impacted. These values will be added in plaintext to the index.js file. If you're on a...
GHSA-529F-9QWM-9628 tinacms is vulnerable to arbitrary code execution
Summary tinacms uses the gray-matter package in an insecure way allowing attackers that can control the content of the processed markdown files, e.g., blog posts, to execute arbitrary code. Details The gray-matter package executes by default the code in the markdown file's front matter. tinacms...
tinacms is vulnerable to arbitrary code execution
Summary tinacms uses the gray-matter package in an insecure way allowing attackers that can control the content of the processed markdown files, e.g., blog posts, to execute arbitrary code. Details The gray-matter package executes by default the code in the markdown file's front matter. tinacms...
CVE-2025-68278 tinacms vulnerable to arbitrary code execution
Tina is a headless content management system. In tinacms prior to version 3.1.1, tinacms uses the gray-matter package in an insecure way allowing attackers that can control the content of the processed markdown files, e.g., blog posts, to execute arbitrary code. tinacms version 3.1.1, @tinacms/cl...
EUVD-2023-0758
Malicious code in bioql PyPI...