TinaCMS - Path Traversal

TinaCMS CLI 2.1.8 contains a file system read vulnerability caused by disabled Vite server.fs.strict setting, letting unauthenticated attackers read arbitrary files on the host system, exploit requires access to the dev server. id: CVE-2026-29066 info: name: TinaCMS - Path Traversal author:...

CVE-2026-24125

Tina is a headless content management system. Prior to 2.1.2, TinaCMS allows users to create, update, and delete content documents using relative file paths relativePath, newRelativePath via GraphQL mutations. Under certain conditions, these paths are combined with the collection path using...

EUVD-2026-11611

TinaCMS CLI Dev Server Vulnerable to Cross-Origin File Exfiltration via CORS Misconfiguration + Path Traversal in TinaCMS...

Files or Directories Accessible to External Parties

Overview Affected versions of this package are vulnerable to Files or Directories Accessible to External Parties via the dev server configuration when server.fs.strict is set to false. An attacker can access sensitive files on the host system by sending crafted requests to the development server...

Directory Traversal

Overview @tinacms/cli is a package used to set up your project with Tina Cloud configuration, and run a local version of the Tina Cloud content-api. Affected versions of this package are vulnerable to Directory Traversal in the development server's media upload handler. An attacker can write or...

CVE-2026-24125 Path Traversal in @tinacms/graphql

Tina is a headless content management system. Prior to 2.1.2, TinaCMS allows users to create, update, and delete content documents using relative file paths relativePath, newRelativePath via GraphQL mutations. Under certain conditions, these paths are combined with the collection path using...

@backpackjs/cli (>=1.0.0 <=2.0.0-bundle-perf-test.2), @backpackjs/cms (>=0.0.2 <=4.21.0) +51 more potentially affected by CVE-2025-68278 via tinacms (>=0.0.0-a1ff961-20250623024558 <=3.1.0)

tinacms NPM version =0.0.0-a1ff961-20250623024558, =1.0.0, =0.0.2, =2.2.0-isolate-nextjs.0, =1.0.0, =1.0.0, =0.1.0, =0.1.0, =0.10.0, =0.0.1-beta.1, =0.0.0-20220816134642, =0.0.0-20220903131031, =0.0.4, =0.1.0, =0.0.85, =0.0.89, =0.0.93 and more Source cves: CVE-2025-68278 Source advisory:...

@backpackjs/cli (>=1.0.0 <=2.0.0-bundle-perf-test.2), @backpackjs/cms (>=0.0.2 <=4.21.0) +51 more potentially affected by CVE-2025-68278 via tinacms (>=0.0.0-a11f739-20260513041310 <=3.1.0)

tinacms NPM version =0.0.0-a11f739-20260513041310, =1.0.0, =0.0.2, =2.2.0-isolate-nextjs.0, =1.0.0, =1.0.0, =0.1.0, =0.1.0, =0.10.0, =0.0.1-beta.1, =0.0.0-20220816134642, =0.0.0-20220903131031, =0.0.4, =0.1.0, =0.0.85, =0.0.89, =0.0.93 and more Source cves: CVE-2025-68278 Source advisory:...

CVE-2025-68278

CVE-2025-68278 affects tinacms prior to 3.1.1, where insecure use of the gray-matter package allows attackers who can control markdown front matter (e.g., blog posts) to execute arbitrary code. The issue spans tinacms, @tinacms/cli (v2.0.4), and @tinacms/graphql (v2.0.3). A fix is available in ti...

CVE-2025-68278 tinacms vulnerable to arbitrary code execution

Tina is a headless content management system. In tinacms prior to version 3.1.1, tinacms uses the gray-matter package in an insecure way allowing attackers that can control the content of the processed markdown files, e.g., blog posts, to execute arbitrary code. tinacms version 3.1.1, @tinacms/cl...

CVE-2025-68278 tinacms vulnerable to arbitrary code execution

Tina is a headless content management system. In tinacms prior to version 3.1.1, tinacms uses the gray-matter package in an insecure way allowing attackers that can control the content of the processed markdown files, e.g., blog posts, to execute arbitrary code. tinacms version 3.1.1, @tinacms/cl...

CVE-2024-45391 Tina search token leak via lock file in TinaCMS

Tina is an open-source content management system CMS. Sites building with Tina CMS's command line interface CLI prior to version 1.6.2 that use a search token may be vulnerable to the search token being leaked via lock file tina-lock.json. Administrators of Tina-enabled websites with search setup...

GHSA-4QRM-9H4R-V2FX Tina search token leak via lock file in TinaCMS

Impact Tina search token leaked via lock file tina-lock.json in TinaCMS. Sites building with @tinacms/cli 1.6.2 that use a search token are impacted. If your Tina-enabled website has search setup, you should rotate that key immediately. Patches This issue has been patched in @tinacms/[email protected]...

Tina search token leak via lock file in TinaCMS

Impact Tina search token leaked via lock file tina-lock.json in TinaCMS. Sites building with @tinacms/cli 1.6.2 that use a search token are impacted. If your Tina-enabled website has search setup, you should rotate that key immediately. Patches This issue has been patched in @tinacms/[email protected]...

CVE-2023-25164

Tinacms is a Git-backed headless content management system with support for visual editing. Sites being built with @tinacms/cli = 1.0.0 && 1.0.9 which store sensitive values in the process.env variable are impacted. These values will be added in plaintext to the index.js file. If you're on a...

Design/Logic Flaw

Tinacms is a Git-backed headless content management system with support for visual editing. Sites being built with @tinacms/cli = 1.0.0 && 1.0.9 which store sensitive values in the process.env variable are impacted. These values will be added in plaintext to the index.js file. If you're on a...

CVE-2023-25164

The CVE-2023-25164 entry concerns Tinacms where sites built with @tinacms/cli &gt;= 1.0.0 and

CVE-2023-25164 Sensitive Information leak via Script File in TinaCMS

Tinacms is a Git-backed headless content management system with support for visual editing. Sites being built with @tinacms/cli = 1.0.0 && 1.0.9 which store sensitive values in the process.env variable are impacted. These values will be added in plaintext to the index.js file. If you're on a...

CVE-2023-25164 Sensitive Information leak via Script File in TinaCMS

Tinacms is a Git-backed headless content management system with support for visual editing. Sites being built with @tinacms/cli = 1.0.0 && 1.0.9 which store sensitive values in the process.env variable are impacted. These values will be added in plaintext to the index.js file. If you're on a...

CVE-2023-25164 Sensitive Information leak via Script File in TinaCMS

Tinacms is a Git-backed headless content management system with support for visual editing. Sites being built with @tinacms/cli = 1.0.0 && 1.0.9 which store sensitive values in the process.env variable are impacted. These values will be added in plaintext to the index.js file. If you're on a...