13 matches found
EUVD-2026-17961
Tina is a headless content management system. Prior to version 2.2.2, a path traversal vulnerability in @tinacms/graphql allows unauthenticated users to write and overwrite arbitrary files within the project root. This is achieved by manipulating the relativePath parameter in GraphQL mutations. T...
CVE-2026-33949 @tinacms/graphql has Path Traversal that leads to overwrite of arbitrary files
Tina is a headless content management system. Prior to version 2.2.2, a path traversal vulnerability in @tinacms/graphql allows unauthenticated users to write and overwrite arbitrary files within the project root. This is achieved by manipulating the relativePath parameter in GraphQL mutations. T...
@tinacms/app (>=0.0.0-0a1049d-20260309051347 <=2.4.0), @tinacms/cli (>=0.0.0-0a1049d-20260309051347 <=2.2.0) +4 more potentially affected by CVE-2026-34604 via @tinacms/graphql (>=2.0.0 <=2.2.1)
@tinacms/graphql NPM version =2.0.0, =0.0.0-0a1049d-20260309051347, =0.0.0-0a1049d-20260309051347, =2.0.0, =0.0.0-0b7103c-20251216023146, =0.0.0-0a1049d-20260309051347, =0.0.0-0a1049d-20260309051347, =3.7.0 Source cves: CVE-2026-34604 Source advisory: SNYK:JS-TINACMSGRAPHQL-15870926...
GHSA-G9C2-GF25-3X67 @tinacms/graphql's `FilesystemBridge` Path Validation Can Be Bypassed via Symlinks or Junctions
Summary @tinacms/graphql uses string-based path containment checks in FilesystemBridge: - path.resolvepath.joinbaseDir, filepath - startsWithresolvedBase + path.sep That blocks plain ../ traversal, but it does not resolve symlink or junction targets. If a symlink/junction already exists under the...
@tinacms/app (>=0.0.0-0a1049d-20260309051347 <=2.4.0), @tinacms/cli (>=0.0.0-0a1049d-20260309051347 <=2.2.0) +4 more potentially affected by CVE-2026-34603 via @tinacms/graphql (>=2.0.0 <=2.2.1)
@tinacms/graphql NPM version =2.0.0, =0.0.0-0a1049d-20260309051347, =0.0.0-0a1049d-20260309051347, =2.0.0, =0.0.0-0b7103c-20251216023146, =0.0.0-0a1049d-20260309051347, =0.0.0-0a1049d-20260309051347, =3.7.0 Source cves: CVE-2026-34603 Source advisory: SNYK:JS-TINACMSGRAPHQL-15870346...
@tinacms/app (>=0.0.0-0a1049d-20260309051347 <=2.4.0), @tinacms/cli (>=0.0.0-0a1049d-20260309051347 <=2.2.0) +4 more potentially affected by CVE-2026-33949 via @tinacms/graphql (>=2.0.0 <=2.2.1)
@tinacms/graphql NPM version =2.0.0, =0.0.0-0a1049d-20260309051347, =0.0.0-0a1049d-20260309051347, =2.0.0, =0.0.0-0b7103c-20251216023146, =0.0.0-0a1049d-20260309051347, =0.0.0-0a1049d-20260309051347, =3.7.0 Source cves: CVE-2026-33949 Source advisory: SNYK:JS-TINACMSGRAPHQL-15855320...
GHSA-V9P7-GF3Q-H779 @tinacms/graphql has Path Traversal that leads to overwrite of arbitrary files
Summary A Path Traversal vulnerability in @tinacms/graphql allows unauthenticated users to write and overwrite arbitrary files within the project root. This is achieved by manipulating the relativePath parameter in GraphQL mutations. The impact includes the ability to replace critical server...
@tinacms/app (>=0.0.0-0b7103c-20251216023146 <=2.3.24), @tinacms/cli (>=0.0.0-0b7103c-20251216023146 <=2.1.5) +4 more potentially affected by CVE-2026-24125 via @tinacms/graphql (>=2.0.0 <=2.1.1)
@tinacms/graphql NPM version =2.0.0, =0.0.0-0b7103c-20251216023146, =0.0.0-0b7103c-20251216023146, =2.0.0, =0.0.0-0b7103c-20251216023146, =0.0.0-0b7103c-20251216023146, =0.0.0-0b7103c-20251216023146, =3.4.1 Source cves: CVE-2026-24125 Source advisory: SNYK:JS-TINACMSGRAPHQL-15518060...
Directory Traversal
Overview @tinacms/graphql is a GraphQL database generating component for Tina, the headless content management system with support for Markdown, MDX, JSON, YAML, and more. Affected versions of this package are vulnerable to Directory Traversal in the development server's media upload handler. An...
@tinacms/app (>=0.0.0-0b7103c-20251216023146 <=2.3.25), @tinacms/cli (>=0.0.0-0b7103c-20251216023146 <=2.1.6) +4 more potentially affected by CVE-2026-28791 via @tinacms/graphql (>=2.0.0 <=2.1.2)
@tinacms/graphql NPM version =2.0.0, =0.0.0-0b7103c-20251216023146, =0.0.0-0b7103c-20251216023146, =2.0.0, =0.0.0-0b7103c-20251216023146, =0.0.0-0b7103c-20251216023146, =0.0.0-0b7103c-20251216023146, =3.5.0 Source cves: CVE-2026-28791 Source advisory: SNYK:JS-TINACMSGRAPHQL-15518326...
CVE-2026-24125
Summary: TinaCMS (headless CMS) before 2.1.2 allows creating, updating, and deleting content via GraphQL mutations using relative file paths. Under certain conditions, path.join() can combine the path with the collection path without validating the resolved path stays within the collection root, ...
@tinacms/app (>=0.0.0-0b7103c-20251216023146 <=2.3.15), @tinacms/cli (>=0.0.0-0b7103c-20251216023146 <=2.0.3) +4 more potentially affected by CVE-2025-68278 via @tinacms/graphql (>=2.0.0 <=2.0.2)
@tinacms/graphql NPM version =2.0.0, =0.0.0-0b7103c-20251216023146, =0.0.0-0b7103c-20251216023146, =2.0.0, =0.0.0-0b7103c-20251216023146, =0.0.0-0b7103c-20251216023146, =0.0.0-0b7103c-20251216023146, =3.1.0 Source cves: CVE-2025-68278 Source advisory: SNYK:JS-TINACMSGRAPHQL-14535448...
@bojidar-bg/tina-mdx-editor (>=0.1.0 <=0.1.1), @bojidar-bg/tina-simple-git-provider (>=0.1.0 <=0.1.1) +28 more potentially affected by CVE-2025-68278 via @tinacms/graphql (>=0.0.0-a1ff961-20250623024558 <=2.0.2)
@tinacms/graphql NPM version =0.0.0-a1ff961-20250623024558, =0.1.0, =0.1.0, =0.1.0, =0.10.0, =0.0.0-20230511135047, =0.0.0-20230511135047, =2.5.8, =0.0.4, =0.0.85, =0.0.89, =0.0.26, =0.0.34, =0.0.0-0a2c557-20250220151224, =0.0.0-0a2c557-20250220151224, =2.0.3 and more Source cves: CVE-2025-68278...