CVE-2026-29066 Arbitrary File Read via Disabled Vite Filesystem Restriction in TinaCMS CLI

Tina is a headless content management system. Prior to 2.1.8, the TinaCMS CLI dev server configures Vite with server.fs.strict: false, which disables Vite's built-in filesystem access restriction. This allows any unauthenticated attacker who can reach the dev server to read arbitrary files on the...

@cloudcommerce/storefront (>=0.10.0 <=0.11.0), @gspenst/next (>=0.0.1 <=0.1.2) +6 more potentially affected by CVE-2025-68278 via @tinacms/cli (>=0.60.28 <=1.12.6)

@tinacms/cli NPM version =0.60.28, =0.10.0, =0.0.1, =0.1.0, =0.0.2, =0.0.3, =0.0.1, =0.1.3 - next-tina-github-starter =0.1.0 - ramidus =1.2.1 Source cves: CVE-2025-68278 Source advisory: OSV:GHSA-529F-9QWM-9628...

PT-2024-31595 · Unknown · @Tinacms/Cli

Name of the Vulnerable Software and Affected Versions: @tinacms/cli versions prior to 1.6.2 Description: Tina is an open-source content management system CMS. Sites building with Tina CMS's command line interface CLI that use a search token may be vulnerable to the search token being leaked via...