101 matches found
TinaCMS - Path Traversal
TinaCMS CLI 2.1.8 contains a file system read vulnerability caused by disabled Vite server.fs.strict setting, letting unauthenticated attackers read arbitrary files on the host system, exploit requires access to the dev server. id: CVE-2026-29066 info: name: TinaCMS - Path Traversal author:...
CVE-2026-55661
Tina is a headless content management system. In versions prior to @tinacms/mdx 2.1.7 and tinacms 3.9.3, rich-text parsing and the default link/image renderers did not sanitize the url field on Slate link/image nodes. Content containing javascript: or data:text/html URLs — including case-variant,...
CVE-2026-54074
Tina is a headless content management system. @tinacms/cli versions prior to 2.4.3 contain a Remote Code Execution vulnerability in the Forestry-to-Tina migration command. The internal helper addVariablesToCode unquotes any value matching the marker "TINAINTERNAL:::.?:::" inside the stringified...
CVE-2026-55660
Tina is a headless content management system. In versions prior to @tinacms/app 2.5.6 and tinacms 3.9.3, cross-origin postMessage handlers and a rich-text URL-sanitization bypass enable stored XSS and session takeover. The library registers window message listeners — the useTina overlay handler,...
CVE-2026-54074
Tina is a headless content management system. @tinacms/cli versions prior to 2.4.3 contain a Remote Code Execution vulnerability in the Forestry-to-Tina migration command. The internal helper addVariablesToCode unquotes any value matching the marker "TINAINTERNAL:::.?:::" inside the stringified...
CVE-2026-55661
CVE-2026-55661 affects TinaCMS rich-text rendering (Slate JSON) where the url field on Slate link/image nodes was not sanitized, allowing stored XSS via dangerous URL schemes such as javascript: or data:text/html. Affected versions include tinacms/mdx <2.1.7 and tinacms =2.1.7 and tinacms >...
NPM: TinaCMS: Cross-origin postMessage handlers and rich-text URL-sanitization bypass enable stored XSS and session takeover
NPM: TinaCMS: Cross-origin postMessage handlers and rich-text URL-sanitization bypass enable stored XSS and session takeover vulnerability discovered by ? in WordPress Npm tinacms versions 3.9.3...
Improper Verification of Source of a Communication Channel
Overview Affected versions of this package are vulnerable to Improper Verification of Source of a Communication Channel via improper validation of cross-origin messages in the window message listeners. An attacker can hijack authenticated editing sessions by sending crafted postMessage events fro...
Improper Verification of Source of a Communication Channel
Overview tinacms is a headless content management system with support for Markdown, MDX, JSON, YAML, and more. Affected versions of this package are vulnerable to Improper Verification of Source of a Communication Channel via improper validation of cross-origin messages in the window message...
Arbitrary Code Injection
Overview @tinacms/cli is a package used to set up your project with Tina Cloud configuration, and run a local version of the Tina Cloud content-api. Affected versions of this package are vulnerable to Arbitrary Code Injection through the addVariablesToCode/makeFieldsWithInternalCode process in...
@tinacms/cli: Remote Code Execution in @tinacms/cli via Forestry migration — unsanitised __TINA_INTERNAL__ marker in user-controlled YAML labels
Description Summary @tinacms/cli contains a Remote Code Execution vulnerability in its Forestry-to-Tina migration command. The internal helper addVariablesToCode unquotes any value matching the marker "TINAINTERNAL:::.?:::" inside the stringified collection JSON. User-supplied label and name fiel...
PT-2026-51104
Name of the Vulnerable Software and Affected Versions @tinacms/app versions prior to 2.5.6 tinacms versions prior to 3.9.3 Description Cross-origin postMessage handlers allow for stored XSS and session takeover. The software registers window message listeners—specifically the useTina overlay...
Cross-site Scripting (XSS)
Overview tinacms is a headless content management system with support for Markdown, MDX, JSON, YAML, and more. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the url field in Slate link or image nodes during rich-text rendering and parsing. An attacker can execut...
TinaCMS rich-text (slatejson) rendering does not sanitize link/image URLs, allowing stored XSS via dangerous URL schemes
TinaCMS rich-text parsing and the default link/image renderers did not sanitize the url field on Slate link/image nodes. Content containing javascript: or data:text/html URLs — including case-variant, whitespace-padded, and control-character-obfuscated forms — is rendered into href/src and execut...
CVE-2026-54074
creationtimestamp| type| source ---|---|--- 2026-06-09 00:22:22+00:00| published-proof-of-concept| https://github.com/tinacms/tinacms/security/advisories/GHSA-4936-9hrh-qqpw 2026-07-02 12:50:34+00:00| seen| https://bsky.app/profile/kriptabiz.bsky.social/post/3mpo32jomd72u...
CVE-2026-33949 @tinacms/graphql has Path Traversal that leads to overwrite of arbitrary files
Tina is a headless content management system. Prior to version 2.2.2, a path traversal vulnerability in @tinacms/graphql allows unauthenticated users to write and overwrite arbitrary files within the project root. This is achieved by manipulating the relativePath parameter in GraphQL mutations. T...
EUVD-2026-17961
Tina is a headless content management system. Prior to version 2.2.2, a path traversal vulnerability in @tinacms/graphql allows unauthenticated users to write and overwrite arbitrary files within the project root. This is achieved by manipulating the relativePath parameter in GraphQL mutations. T...
CVE-2026-33949
Tina is a headless content management system. Prior to version 2.2.2, a path traversal vulnerability in @tinacms/graphql allows unauthenticated users to write and overwrite arbitrary files within the project root. This is achieved by manipulating the relativePath parameter in GraphQL mutations. T...
@tinacms/app (>=0.0.0-0a1049d-20260309051347 <=2.4.0), @tinacms/cli (>=0.0.0-0a1049d-20260309051347 <=2.2.0) +4 more potentially affected by CVE-2026-34604 via @tinacms/graphql (>=2.0.0 <=2.2.1)
@tinacms/graphql NPM version =2.0.0, =0.0.0-0a1049d-20260309051347, =0.0.0-0a1049d-20260309051347, =2.0.0, =0.0.0-0b7103c-20251216023146, =0.0.0-0a1049d-20260309051347, =0.0.0-0a1049d-20260309051347, =3.7.0 Source cves: CVE-2026-34604 Source advisory: SNYK:JS-TINACMSGRAPHQL-15870926...
@tinacms/graphql's `FilesystemBridge` Path Validation Can Be Bypassed via Symlinks or Junctions
Summary @tinacms/graphql uses string-based path containment checks in FilesystemBridge: - path.resolvepath.joinbaseDir, filepath - startsWithresolvedBase + path.sep That blocks plain ../ traversal, but it does not resolve symlink or junction targets. If a symlink/junction already exists under the...