GHSA-M48G-4WR2-J2H6 TinaCMS CLI has Arbitrary File Read via Disabled Vite Filesystem Restriction

Summary The TinaCMS CLI dev server configures Vite with server.fs.strict: false, which disables Vite's built-in filesystem access restriction. This allows any unauthenticated attacker who can reach the dev server to read arbitrary files on the host system Details When running tinacms dev, the CLI...

@cloudcommerce/storefront (>=0.10.0 <=0.11.0), @gspenst/next (>=0.0.1 <=0.1.2) +6 more potentially affected by CVE-2026-29066 via @tinacms/cli (>=0.60.28 <=1.12.6)

@tinacms/cli NPM version =0.60.28, =0.10.0, =0.0.1, =0.1.0, =0.0.2, =0.0.3, =0.0.1, =0.1.3 - next-tina-github-starter =0.1.0 - ramidus =1.2.1 Source cves: CVE-2026-29066 Source advisory: OSV:GHSA-M48G-4WR2-J2H6...

@cloudcommerce/storefront (>=0.10.0 <=0.11.0), @gspenst/next (>=0.0.1 <=0.1.2) +6 more potentially affected by CVE-2026-28793 via @tinacms/cli (>=0.60.28 <=1.12.6)

@tinacms/cli NPM version =0.60.28, =0.10.0, =0.0.1, =0.1.0, =0.0.2, =0.0.3, =0.0.1, =0.1.3 - next-tina-github-starter =0.1.0 - ramidus =1.2.1 Source cves: CVE-2026-28793 Source advisory: OSV:GHSA-2F24-MG4X-534Q...

@cloudcommerce/storefront (>=0.10.0 <=0.11.0), @gspenst/next (>=0.0.1 <=0.1.2) +6 more potentially affected by CVE-2026-28792 via @tinacms/cli (>=0.60.28 <=1.12.6)

@tinacms/cli NPM version =0.60.28, =0.10.0, =0.0.1, =0.1.0, =0.0.2, =0.0.3, =0.0.1, =0.1.3 - next-tina-github-starter =0.1.0 - ramidus =1.2.1 Source cves: CVE-2026-28792 Source advisory: OSV:GHSA-8PW3-9M7F-Q734...

Files or Directories Accessible to External Parties

Overview @tinacms/cli is a package used to set up your project with Tina Cloud configuration, and run a local version of the Tina Cloud content-api. Affected versions of this package are vulnerable to Files or Directories Accessible to External Parties via the dev server configuration when...

Directory Traversal

Overview @tinacms/cli is a package used to set up your project with Tina Cloud configuration, and run a local version of the Tina Cloud content-api. Affected versions of this package are vulnerable to Directory Traversal via the decodeURI and path.join functions in the HTTP server endpoints...

Directory Traversal

Overview @tinacms/cli is a package used to set up your project with Tina Cloud configuration, and run a local version of the Tina Cloud content-api. Affected versions of this package are vulnerable to Directory Traversal via a combination with permissive CORS configuration. An attacker can access...

abstra (>=1.8.8 <=2.5.1), clay (>=3.0.0 <=4.0.0) +19 more potentially affected by CVE-2026-28356 via multipart (>=0.2.4 <=1.2.1)

multipart PYPI version =0.2.4, =1.8.8, =3.0.0, =4.5.0b3, =0.3.11, =0.1.0, =0.1.2, =0.1.0, =0.1.0, =0.1.6, =0.1.0, =0.1.0, =1.0.0, =0.1.3, =1.1.44 and more Source cves: CVE-2026-28356 Source advisory: OSV:GHSA-P2M9-WCP5-6QW3...

@bigegg/parse-server-schema-config (>=1.0.5 <=1.0.10), @kontaa/subgraph (>=1.0.1 <=1.2.3) +27 more potentially affected by CVE-2026-32248 via parse-server (>=2.0.8 <=7.5.4)

parse-server NPM version =2.0.8, =1.0.5, =1.0.1, =1.2.1, =2.4.46, =2.4.8, =1.0.0, =1.0.0, =1.0.1, =0.1.1, =0.0.2, =1.0.0, =0.1.0, =0.1.7, =0.0.1, =0.0.29 - parse-cli-server2 =0.0.30 and more Source cves: CVE-2026-32248 Source advisory: OSV:GHSA-5FW2-8JCV-XH87...

CVE-2026-3841 Command Injection Vulnerability in Telnet CLI on TP-Link TL-MR6400

A command injection vulnerability has been identified in the Telnet command-line interface CLI of TP-Link TL-MR6400 v5.3. This issue is caused by insufficient sanitization of data processed during specific CLI operations. An authenticated attacker with elevated privileges may be able to execute...

CVE-2026-3841

A command injection vulnerability has been identified in the Telnet command-line interface CLI of TP-Link TL-MR6400 v5.3. This issue is caused by insufficient sanitization of data processed during specific CLI operations. An authenticated attacker with elevated privileges may be able to execute...

CVE-2026-3841

CVE-2026-3841 describes a command-injection vulnerability in the Telnet CLI of TP-Link TL-MR6400 (v5.3). The issue arises from insufficient sanitization of data during specific CLI operations. An authenticated attacker with elevated privileges can execute arbitrary system commands, potentially co...

CVE-2026-29066 Arbitrary File Read via Disabled Vite Filesystem Restriction in TinaCMS CLI

Tina is a headless content management system. Prior to 2.1.8, the TinaCMS CLI dev server configures Vite with server.fs.strict: false, which disables Vite's built-in filesystem access restriction. This allows any unauthenticated attacker who can reach the dev server to read arbitrary files on the...

CVE-2026-29066 Arbitrary File Read via Disabled Vite Filesystem Restriction in TinaCMS CLI

Tina is a headless content management system. Prior to 2.1.8, the TinaCMS CLI dev server configures Vite with server.fs.strict: false, which disables Vite's built-in filesystem access restriction. This allows any unauthenticated attacker who can reach the dev server to read arbitrary files on the...

CVE-2026-28793

TinaCMS CLI dev server (TinaCMS) prior to 2.1.8 exposes media endpoints via tinacms dev (default port 4001) including /media/list/, /media/upload/ , and /media/*. User-controlled path segments are processed with decodeURI() and path.join() without validating the resolved path against the configur...

PT-2026-25022

Name of the Vulnerable Software and Affected Versions TP-Link TL-MR6400 version 5.3 Description A command injection issue exists in the Telnet command-line interface CLI of the device. This is due to inadequate data sanitization during certain CLI operations. An authenticated attacker with elevat...

CVE-2026-3959

A vulnerability was found in 0xKoda WireMCP up to 7f45f8b2b4adeb76be8c6227eefb38533fdd6b1e. Impacted is the function server.tool of the file index.js of the component Tshark CLI Command Handler. The manipulation results in os command injection. The attack needs to be approached locally. The explo...

CVE-2026-3959

The CVE concerns 0xKoda WireMCP (up to commit 7f45f8b2b4adeb76be8c6227eefb38533fdd6b1e). Affected is the function server.tool in index.js of Tshark CLI Command Handler, where input manipulation leads to OS command injection. Attack requires local access; public exploit exists. Product uses a roll...

CVE-2026-3959 0xKoda WireMCP Tshark CLI index.js server.tool os command injection

A vulnerability was found in 0xKoda WireMCP up to 7f45f8b2b4adeb76be8c6227eefb38533fdd6b1e. Impacted is the function server.tool of the file index.js of the component Tshark CLI Command Handler. The manipulation results in os command injection. The attack needs to be approached locally. The explo...

EUVD-2026-11214

A vulnerability in the CLI of Cisco IOS XR Software could allow an authenticated, local attacker to execute arbitrary commands as root on the underlying operating system of an affected device. This vulnerability is due to insufficient validation of user arguments that are passed to specific CLI...