Search criteria
ⓘ
Use full-text search for keyword queries.
Combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by dates instead of relevance.
14 vulnerabilities found for tinacms by tinacms
CVE-2026-34604 (GCVE-0-2026-34604)
Vulnerability from nvd – Published: 2026-04-01 16:05 – Updated: 2026-04-01 17:59
VLAI?
Title
@tinacms/graphql's `FilesystemBridge` Path Validation Can Be Bypassed via Symlinks or Junctions
Summary
Tina is a headless content management system. Prior to version 2.2.2, @tinacms/graphql uses string-based path containment checks in FilesystemBridge. That blocks plain ../ traversal, but it does not resolve symlink or junction targets. If a symlink/junction already exists under the allowed content root, a path like content/posts/pivot/owned.md is still considered "inside" the base even though the real filesystem target can be outside it. As a result, FilesystemBridge.get(), put(), delete(), and glob() can operate on files outside the intended root. This issue has been patched in version 2.2.2.
Severity ?
7.1 (High)
CWE
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-34604",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-01T17:59:42.739451Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T17:59:46.120Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/tinacms/tinacms/security/advisories/GHSA-g9c2-gf25-3x67"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "tinacms",
"vendor": "tinacms",
"versions": [
{
"status": "affected",
"version": "\u003c 2.2.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Tina is a headless content management system. Prior to version 2.2.2, @tinacms/graphql uses string-based path containment checks in FilesystemBridge. That blocks plain ../ traversal, but it does not resolve symlink or junction targets. If a symlink/junction already exists under the allowed content root, a path like content/posts/pivot/owned.md is still considered \"inside\" the base even though the real filesystem target can be outside it. As a result, FilesystemBridge.get(), put(), delete(), and glob() can operate on files outside the intended root. This issue has been patched in version 2.2.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-59",
"description": "CWE-59: Improper Link Resolution Before File Access (\u0027Link Following\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T16:05:15.196Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/tinacms/tinacms/security/advisories/GHSA-g9c2-gf25-3x67",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/tinacms/tinacms/security/advisories/GHSA-g9c2-gf25-3x67"
},
{
"name": "https://github.com/tinacms/tinacms/commit/f124eabaca10dac9a4d765c9e4135813c4830955",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/tinacms/tinacms/commit/f124eabaca10dac9a4d765c9e4135813c4830955"
}
],
"source": {
"advisory": "GHSA-g9c2-gf25-3x67",
"discovery": "UNKNOWN"
},
"title": "@tinacms/graphql\u0027s `FilesystemBridge` Path Validation Can Be Bypassed via Symlinks or Junctions"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-34604",
"datePublished": "2026-04-01T16:05:15.196Z",
"dateReserved": "2026-03-30T17:15:52.500Z",
"dateUpdated": "2026-04-01T17:59:46.120Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-34603 (GCVE-0-2026-34603)
Vulnerability from nvd – Published: 2026-04-01 16:08 – Updated: 2026-04-01 17:54
VLAI?
Title
@tinacms/graphql's Media Endpoints Can Escape the Media Root via Symlinks or Junctions
Summary
Tina is a headless content management system. Prior to version 2.2.2, @tinacms/cli recently added lexical path-traversal checks to the dev media routes, but the implementation still validates only the path string and does not resolve symlink or junction targets. If a link already exists under the media root, Tina accepts a path like pivot/written-from-media.txt as "inside" the media directory and then performs real filesystem operations through that link target. This allows out-of-root media listing and write access, and the same root cause also affects delete. This issue has been patched in version 2.2.2.
Severity ?
7.1 (High)
CWE
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-34603",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-01T17:52:31.840761Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T17:54:25.006Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/tinacms/tinacms/security/advisories/GHSA-g87c-r2jp-293w"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "tinacms",
"vendor": "tinacms",
"versions": [
{
"status": "affected",
"version": "\u003c 2.2.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Tina is a headless content management system. Prior to version 2.2.2, @tinacms/cli recently added lexical path-traversal checks to the dev media routes, but the implementation still validates only the path string and does not resolve symlink or junction targets. If a link already exists under the media root, Tina accepts a path like pivot/written-from-media.txt as \"inside\" the media directory and then performs real filesystem operations through that link target. This allows out-of-root media listing and write access, and the same root cause also affects delete. This issue has been patched in version 2.2.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-59",
"description": "CWE-59: Improper Link Resolution Before File Access (\u0027Link Following\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T16:08:44.366Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/tinacms/tinacms/security/advisories/GHSA-g87c-r2jp-293w",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/tinacms/tinacms/security/advisories/GHSA-g87c-r2jp-293w"
},
{
"name": "https://github.com/tinacms/tinacms/commit/f124eabaca10dac9a4d765c9e4135813c4830955",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/tinacms/tinacms/commit/f124eabaca10dac9a4d765c9e4135813c4830955"
}
],
"source": {
"advisory": "GHSA-g87c-r2jp-293w",
"discovery": "UNKNOWN"
},
"title": "@tinacms/graphql\u0027s Media Endpoints Can Escape the Media Root via Symlinks or Junctions"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-34603",
"datePublished": "2026-04-01T16:08:44.366Z",
"dateReserved": "2026-03-30T17:15:52.500Z",
"dateUpdated": "2026-04-01T17:54:25.006Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-33949 (GCVE-0-2026-33949)
Vulnerability from nvd – Published: 2026-04-01 15:54 – Updated: 2026-04-03 16:44
VLAI?
Title
@tinacms/graphql has Path Traversal that leads to overwrite of arbitrary files
Summary
Tina is a headless content management system. Prior to version 2.2.2, a path traversal vulnerability in @tinacms/graphql allows unauthenticated users to write and overwrite arbitrary files within the project root. This is achieved by manipulating the relativePath parameter in GraphQL mutations. The impact includes the ability to replace critical server configuration files and potentially execute arbitrary commands by sabotaging build script. This issue has been patched in version 2.2.2.
Severity ?
8.1 (High)
CWE
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-33949",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-03T16:44:36.092778Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-03T16:44:46.487Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "tinacms",
"vendor": "tinacms",
"versions": [
{
"status": "affected",
"version": "\u003c 2.2.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Tina is a headless content management system. Prior to version 2.2.2, a path traversal vulnerability in @tinacms/graphql allows unauthenticated users to write and overwrite arbitrary files within the project root. This is achieved by manipulating the relativePath parameter in GraphQL mutations. The impact includes the ability to replace critical server configuration files and potentially execute arbitrary commands by sabotaging build script. This issue has been patched in version 2.2.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-73",
"description": "CWE-73: External Control of File Name or Path",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T15:54:12.351Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/tinacms/tinacms/security/advisories/GHSA-v9p7-gf3q-h779",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/tinacms/tinacms/security/advisories/GHSA-v9p7-gf3q-h779"
}
],
"source": {
"advisory": "GHSA-v9p7-gf3q-h779",
"discovery": "UNKNOWN"
},
"title": "@tinacms/graphql has Path Traversal that leads to overwrite of arbitrary files"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-33949",
"datePublished": "2026-04-01T15:54:12.351Z",
"dateReserved": "2026-03-24T19:50:52.105Z",
"dateUpdated": "2026-04-03T16:44:46.487Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-28791 (GCVE-0-2026-28791)
Vulnerability from nvd – Published: 2026-03-12 16:55 – Updated: 2026-03-13 16:27
VLAI?
Title
Path Traversal in Media Upload Handle in Tina
Summary
Tina is a headless content management system. Prior to 2.1.7, a path traversal vulnerability exists in the TinaCMS development server's media upload handler. The code at media.ts joins user-controlled path segments using path.join() without validating that the resulting path stays within the intended media directory. This allows writing files to arbitrary locations on the filesystem. This vulnerability is fixed in 2.1.7.
Severity ?
7.4 (High)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-28791",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-13T16:27:52.236019Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-13T16:27:56.642Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/tinacms/tinacms/security/advisories/GHSA-5hxf-c7j4-279c"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "tinacms",
"vendor": "tinacms",
"versions": [
{
"status": "affected",
"version": "\u003c 2.1.7"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Tina is a headless content management system. Prior to 2.1.7, a path traversal vulnerability exists in the TinaCMS development server\u0027s media upload handler. The code at media.ts joins user-controlled path segments using path.join() without validating that the resulting path stays within the intended media directory. This allows writing files to arbitrary locations on the filesystem. This vulnerability is fixed in 2.1.7."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-12T16:55:47.528Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/tinacms/tinacms/security/advisories/GHSA-5hxf-c7j4-279c",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/tinacms/tinacms/security/advisories/GHSA-5hxf-c7j4-279c"
}
],
"source": {
"advisory": "GHSA-5hxf-c7j4-279c",
"discovery": "UNKNOWN"
},
"title": "Path Traversal in Media Upload Handle in Tina"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-28791",
"datePublished": "2026-03-12T16:55:47.528Z",
"dateReserved": "2026-03-03T14:25:19.244Z",
"dateUpdated": "2026-03-13T16:27:56.642Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68278 (GCVE-0-2025-68278)
Vulnerability from nvd – Published: 2025-12-18 15:27 – Updated: 2025-12-18 15:46
VLAI?
Title
tinacms vulnerable to arbitrary code execution
Summary
Tina is a headless content management system. In tinacms prior to version 3.1.1, tinacms uses the gray-matter package in an insecure way allowing attackers that can control the content of the processed markdown files, e.g., blog posts, to execute arbitrary code. tinacms version 3.1.1, @tinacms/cli version 2.0.4, and @tinacms/graphql version 2.0.3 contain a fix for the issue.
Severity ?
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-68278",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-18T15:45:22.577839Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-18T15:46:53.765Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "tinacms",
"vendor": "tinacms",
"versions": [
{
"status": "affected",
"version": "tinacms \u003c 3.1.1"
},
{
"status": "affected",
"version": "@tinacms/cli \u003c 2.0.4"
},
{
"status": "affected",
"version": "@tinacms/graphql \u003c 2.0.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Tina is a headless content management system. In tinacms prior to version 3.1.1, tinacms uses the gray-matter package in an insecure way allowing attackers that can control the content of the processed markdown files, e.g., blog posts, to execute arbitrary code. tinacms version 3.1.1, @tinacms/cli version 2.0.4, and @tinacms/graphql version 2.0.3 contain a fix for the issue."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-18T15:27:21.403Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/tinacms/tinacms/security/advisories/GHSA-529f-9qwm-9628",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/tinacms/tinacms/security/advisories/GHSA-529f-9qwm-9628"
},
{
"name": "https://github.com/tinacms/tinacms/commit/fa7c27abef968e3f3a3e7d564f282bc566087569",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/tinacms/tinacms/commit/fa7c27abef968e3f3a3e7d564f282bc566087569"
}
],
"source": {
"advisory": "GHSA-529f-9qwm-9628",
"discovery": "UNKNOWN"
},
"title": "tinacms vulnerable to arbitrary code execution"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-68278",
"datePublished": "2025-12-18T15:27:21.403Z",
"dateReserved": "2025-12-16T14:17:32.389Z",
"dateUpdated": "2025-12-18T15:46:53.765Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-45391 (GCVE-0-2024-45391)
Vulnerability from nvd – Published: 2024-09-03 19:43 – Updated: 2024-09-03 20:23
VLAI?
Title
Tina search token leak via lock file in TinaCMS
Summary
Tina is an open-source content management system (CMS). Sites building with Tina CMS's command line interface (CLI) prior to version 1.6.2 that use a search token may be vulnerable to the search token being leaked via lock file (tina-lock.json). Administrators of Tina-enabled websites with search setup should rotate their key immediately. This issue has been patched in @tinacms/cli version 1.6.2. Upgrading and rotating the search token is required for the proper fix.
Severity ?
7.5 (High)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-45391",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-03T20:23:50.587749Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-03T20:23:59.611Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "tinacms",
"vendor": "tinacms",
"versions": [
{
"status": "affected",
"version": "\u003c 1.6.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Tina is an open-source content management system (CMS). Sites building with Tina CMS\u0027s command line interface (CLI) prior to version 1.6.2 that use a search token may be vulnerable to the search token being leaked via lock file (tina-lock.json). Administrators of Tina-enabled websites with search setup should rotate their key immediately. This issue has been patched in @tinacms/cli version 1.6.2. Upgrading and rotating the search token is required for the proper fix."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-03T19:43:07.417Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/tinacms/tinacms/security/advisories/GHSA-4qrm-9h4r-v2fx",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/tinacms/tinacms/security/advisories/GHSA-4qrm-9h4r-v2fx"
},
{
"name": "https://github.com/tinacms/tinacms/pull/4758",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/tinacms/tinacms/pull/4758"
},
{
"name": "https://github.com/tinacms/tinacms/commit/110f1ceea4574d636a64526648f7c8bf6539b26a",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/tinacms/tinacms/commit/110f1ceea4574d636a64526648f7c8bf6539b26a"
}
],
"source": {
"advisory": "GHSA-4qrm-9h4r-v2fx",
"discovery": "UNKNOWN"
},
"title": "Tina search token leak via lock file in TinaCMS"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-45391",
"datePublished": "2024-09-03T19:43:07.417Z",
"dateReserved": "2024-08-28T20:21:32.801Z",
"dateUpdated": "2024-09-03T20:23:59.611Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-25164 (GCVE-0-2023-25164)
Vulnerability from nvd – Published: 2023-02-08 19:26 – Updated: 2025-03-10 21:14
VLAI?
Title
Sensitive Information leak via Script File in TinaCMS
Summary
Tinacms is a Git-backed headless content management system with support for visual editing. Sites being built with @tinacms/cli >= 1.0.0 && < 1.0.9 which store sensitive values in the process.env variable are impacted. These values will be added in plaintext to the index.js file. If you're on a version prior to 1.0.0 this vulnerability does not affect you. If you are affected and your Tina-enabled website has sensitive credentials stored as environment variables (eg. Algolia API keys) you should rotate those keys immediately. This issue has been patched in @tinacms/cli@1.0.9. Users are advised to upgrade. There are no known workarounds for this issue.
Severity ?
8.6 (High)
CWE
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T11:18:35.665Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/tinacms/tinacms/security/advisories/GHSA-pc2q-jcxq-rjrr",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/tinacms/tinacms/security/advisories/GHSA-pc2q-jcxq-rjrr"
},
{
"name": "https://github.com/tinacms/tinacms/pull/3584",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/tinacms/tinacms/pull/3584"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-25164",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-10T20:58:57.760663Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-10T21:14:46.127Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "tinacms",
"vendor": "tinacms",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.0.0, \u003c 1.0.9"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Tinacms is a Git-backed headless content management system with support for visual editing. Sites being built with @tinacms/cli \u003e= 1.0.0 \u0026\u0026 \u003c 1.0.9 which store sensitive values in the process.env variable are impacted. These values will be added in plaintext to the index.js file. If you\u0027re on a version prior to 1.0.0 this vulnerability does not affect you. If you are affected and your Tina-enabled website has sensitive credentials stored as environment variables (eg. Algolia API keys) you should rotate those keys immediately. This issue has been patched in @tinacms/cli@1.0.9. Users are advised to upgrade. There are no known workarounds for this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-532",
"description": "CWE-532: Insertion of Sensitive Information into Log File",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-02-08T19:26:18.956Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/tinacms/tinacms/security/advisories/GHSA-pc2q-jcxq-rjrr",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/tinacms/tinacms/security/advisories/GHSA-pc2q-jcxq-rjrr"
},
{
"name": "https://github.com/tinacms/tinacms/pull/3584",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/tinacms/tinacms/pull/3584"
}
],
"source": {
"advisory": "GHSA-pc2q-jcxq-rjrr",
"discovery": "UNKNOWN"
},
"title": "Sensitive Information leak via Script File in TinaCMS"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-25164",
"datePublished": "2023-02-08T19:26:18.956Z",
"dateReserved": "2023-02-03T16:59:18.245Z",
"dateUpdated": "2025-03-10T21:14:46.127Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2026-34603 (GCVE-0-2026-34603)
Vulnerability from cvelistv5 – Published: 2026-04-01 16:08 – Updated: 2026-04-01 17:54
VLAI?
Title
@tinacms/graphql's Media Endpoints Can Escape the Media Root via Symlinks or Junctions
Summary
Tina is a headless content management system. Prior to version 2.2.2, @tinacms/cli recently added lexical path-traversal checks to the dev media routes, but the implementation still validates only the path string and does not resolve symlink or junction targets. If a link already exists under the media root, Tina accepts a path like pivot/written-from-media.txt as "inside" the media directory and then performs real filesystem operations through that link target. This allows out-of-root media listing and write access, and the same root cause also affects delete. This issue has been patched in version 2.2.2.
Severity ?
7.1 (High)
CWE
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-34603",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-01T17:52:31.840761Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T17:54:25.006Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/tinacms/tinacms/security/advisories/GHSA-g87c-r2jp-293w"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "tinacms",
"vendor": "tinacms",
"versions": [
{
"status": "affected",
"version": "\u003c 2.2.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Tina is a headless content management system. Prior to version 2.2.2, @tinacms/cli recently added lexical path-traversal checks to the dev media routes, but the implementation still validates only the path string and does not resolve symlink or junction targets. If a link already exists under the media root, Tina accepts a path like pivot/written-from-media.txt as \"inside\" the media directory and then performs real filesystem operations through that link target. This allows out-of-root media listing and write access, and the same root cause also affects delete. This issue has been patched in version 2.2.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-59",
"description": "CWE-59: Improper Link Resolution Before File Access (\u0027Link Following\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T16:08:44.366Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/tinacms/tinacms/security/advisories/GHSA-g87c-r2jp-293w",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/tinacms/tinacms/security/advisories/GHSA-g87c-r2jp-293w"
},
{
"name": "https://github.com/tinacms/tinacms/commit/f124eabaca10dac9a4d765c9e4135813c4830955",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/tinacms/tinacms/commit/f124eabaca10dac9a4d765c9e4135813c4830955"
}
],
"source": {
"advisory": "GHSA-g87c-r2jp-293w",
"discovery": "UNKNOWN"
},
"title": "@tinacms/graphql\u0027s Media Endpoints Can Escape the Media Root via Symlinks or Junctions"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-34603",
"datePublished": "2026-04-01T16:08:44.366Z",
"dateReserved": "2026-03-30T17:15:52.500Z",
"dateUpdated": "2026-04-01T17:54:25.006Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-34604 (GCVE-0-2026-34604)
Vulnerability from cvelistv5 – Published: 2026-04-01 16:05 – Updated: 2026-04-01 17:59
VLAI?
Title
@tinacms/graphql's `FilesystemBridge` Path Validation Can Be Bypassed via Symlinks or Junctions
Summary
Tina is a headless content management system. Prior to version 2.2.2, @tinacms/graphql uses string-based path containment checks in FilesystemBridge. That blocks plain ../ traversal, but it does not resolve symlink or junction targets. If a symlink/junction already exists under the allowed content root, a path like content/posts/pivot/owned.md is still considered "inside" the base even though the real filesystem target can be outside it. As a result, FilesystemBridge.get(), put(), delete(), and glob() can operate on files outside the intended root. This issue has been patched in version 2.2.2.
Severity ?
7.1 (High)
CWE
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-34604",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-01T17:59:42.739451Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T17:59:46.120Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/tinacms/tinacms/security/advisories/GHSA-g9c2-gf25-3x67"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "tinacms",
"vendor": "tinacms",
"versions": [
{
"status": "affected",
"version": "\u003c 2.2.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Tina is a headless content management system. Prior to version 2.2.2, @tinacms/graphql uses string-based path containment checks in FilesystemBridge. That blocks plain ../ traversal, but it does not resolve symlink or junction targets. If a symlink/junction already exists under the allowed content root, a path like content/posts/pivot/owned.md is still considered \"inside\" the base even though the real filesystem target can be outside it. As a result, FilesystemBridge.get(), put(), delete(), and glob() can operate on files outside the intended root. This issue has been patched in version 2.2.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-59",
"description": "CWE-59: Improper Link Resolution Before File Access (\u0027Link Following\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T16:05:15.196Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/tinacms/tinacms/security/advisories/GHSA-g9c2-gf25-3x67",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/tinacms/tinacms/security/advisories/GHSA-g9c2-gf25-3x67"
},
{
"name": "https://github.com/tinacms/tinacms/commit/f124eabaca10dac9a4d765c9e4135813c4830955",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/tinacms/tinacms/commit/f124eabaca10dac9a4d765c9e4135813c4830955"
}
],
"source": {
"advisory": "GHSA-g9c2-gf25-3x67",
"discovery": "UNKNOWN"
},
"title": "@tinacms/graphql\u0027s `FilesystemBridge` Path Validation Can Be Bypassed via Symlinks or Junctions"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-34604",
"datePublished": "2026-04-01T16:05:15.196Z",
"dateReserved": "2026-03-30T17:15:52.500Z",
"dateUpdated": "2026-04-01T17:59:46.120Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-33949 (GCVE-0-2026-33949)
Vulnerability from cvelistv5 – Published: 2026-04-01 15:54 – Updated: 2026-04-03 16:44
VLAI?
Title
@tinacms/graphql has Path Traversal that leads to overwrite of arbitrary files
Summary
Tina is a headless content management system. Prior to version 2.2.2, a path traversal vulnerability in @tinacms/graphql allows unauthenticated users to write and overwrite arbitrary files within the project root. This is achieved by manipulating the relativePath parameter in GraphQL mutations. The impact includes the ability to replace critical server configuration files and potentially execute arbitrary commands by sabotaging build script. This issue has been patched in version 2.2.2.
Severity ?
8.1 (High)
CWE
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-33949",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-03T16:44:36.092778Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-03T16:44:46.487Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "tinacms",
"vendor": "tinacms",
"versions": [
{
"status": "affected",
"version": "\u003c 2.2.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Tina is a headless content management system. Prior to version 2.2.2, a path traversal vulnerability in @tinacms/graphql allows unauthenticated users to write and overwrite arbitrary files within the project root. This is achieved by manipulating the relativePath parameter in GraphQL mutations. The impact includes the ability to replace critical server configuration files and potentially execute arbitrary commands by sabotaging build script. This issue has been patched in version 2.2.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-73",
"description": "CWE-73: External Control of File Name or Path",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T15:54:12.351Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/tinacms/tinacms/security/advisories/GHSA-v9p7-gf3q-h779",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/tinacms/tinacms/security/advisories/GHSA-v9p7-gf3q-h779"
}
],
"source": {
"advisory": "GHSA-v9p7-gf3q-h779",
"discovery": "UNKNOWN"
},
"title": "@tinacms/graphql has Path Traversal that leads to overwrite of arbitrary files"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-33949",
"datePublished": "2026-04-01T15:54:12.351Z",
"dateReserved": "2026-03-24T19:50:52.105Z",
"dateUpdated": "2026-04-03T16:44:46.487Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-28791 (GCVE-0-2026-28791)
Vulnerability from cvelistv5 – Published: 2026-03-12 16:55 – Updated: 2026-03-13 16:27
VLAI?
Title
Path Traversal in Media Upload Handle in Tina
Summary
Tina is a headless content management system. Prior to 2.1.7, a path traversal vulnerability exists in the TinaCMS development server's media upload handler. The code at media.ts joins user-controlled path segments using path.join() without validating that the resulting path stays within the intended media directory. This allows writing files to arbitrary locations on the filesystem. This vulnerability is fixed in 2.1.7.
Severity ?
7.4 (High)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-28791",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-13T16:27:52.236019Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-13T16:27:56.642Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/tinacms/tinacms/security/advisories/GHSA-5hxf-c7j4-279c"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "tinacms",
"vendor": "tinacms",
"versions": [
{
"status": "affected",
"version": "\u003c 2.1.7"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Tina is a headless content management system. Prior to 2.1.7, a path traversal vulnerability exists in the TinaCMS development server\u0027s media upload handler. The code at media.ts joins user-controlled path segments using path.join() without validating that the resulting path stays within the intended media directory. This allows writing files to arbitrary locations on the filesystem. This vulnerability is fixed in 2.1.7."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-12T16:55:47.528Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/tinacms/tinacms/security/advisories/GHSA-5hxf-c7j4-279c",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/tinacms/tinacms/security/advisories/GHSA-5hxf-c7j4-279c"
}
],
"source": {
"advisory": "GHSA-5hxf-c7j4-279c",
"discovery": "UNKNOWN"
},
"title": "Path Traversal in Media Upload Handle in Tina"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-28791",
"datePublished": "2026-03-12T16:55:47.528Z",
"dateReserved": "2026-03-03T14:25:19.244Z",
"dateUpdated": "2026-03-13T16:27:56.642Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68278 (GCVE-0-2025-68278)
Vulnerability from cvelistv5 – Published: 2025-12-18 15:27 – Updated: 2025-12-18 15:46
VLAI?
Title
tinacms vulnerable to arbitrary code execution
Summary
Tina is a headless content management system. In tinacms prior to version 3.1.1, tinacms uses the gray-matter package in an insecure way allowing attackers that can control the content of the processed markdown files, e.g., blog posts, to execute arbitrary code. tinacms version 3.1.1, @tinacms/cli version 2.0.4, and @tinacms/graphql version 2.0.3 contain a fix for the issue.
Severity ?
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-68278",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-18T15:45:22.577839Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-18T15:46:53.765Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "tinacms",
"vendor": "tinacms",
"versions": [
{
"status": "affected",
"version": "tinacms \u003c 3.1.1"
},
{
"status": "affected",
"version": "@tinacms/cli \u003c 2.0.4"
},
{
"status": "affected",
"version": "@tinacms/graphql \u003c 2.0.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Tina is a headless content management system. In tinacms prior to version 3.1.1, tinacms uses the gray-matter package in an insecure way allowing attackers that can control the content of the processed markdown files, e.g., blog posts, to execute arbitrary code. tinacms version 3.1.1, @tinacms/cli version 2.0.4, and @tinacms/graphql version 2.0.3 contain a fix for the issue."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-18T15:27:21.403Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/tinacms/tinacms/security/advisories/GHSA-529f-9qwm-9628",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/tinacms/tinacms/security/advisories/GHSA-529f-9qwm-9628"
},
{
"name": "https://github.com/tinacms/tinacms/commit/fa7c27abef968e3f3a3e7d564f282bc566087569",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/tinacms/tinacms/commit/fa7c27abef968e3f3a3e7d564f282bc566087569"
}
],
"source": {
"advisory": "GHSA-529f-9qwm-9628",
"discovery": "UNKNOWN"
},
"title": "tinacms vulnerable to arbitrary code execution"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-68278",
"datePublished": "2025-12-18T15:27:21.403Z",
"dateReserved": "2025-12-16T14:17:32.389Z",
"dateUpdated": "2025-12-18T15:46:53.765Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-45391 (GCVE-0-2024-45391)
Vulnerability from cvelistv5 – Published: 2024-09-03 19:43 – Updated: 2024-09-03 20:23
VLAI?
Title
Tina search token leak via lock file in TinaCMS
Summary
Tina is an open-source content management system (CMS). Sites building with Tina CMS's command line interface (CLI) prior to version 1.6.2 that use a search token may be vulnerable to the search token being leaked via lock file (tina-lock.json). Administrators of Tina-enabled websites with search setup should rotate their key immediately. This issue has been patched in @tinacms/cli version 1.6.2. Upgrading and rotating the search token is required for the proper fix.
Severity ?
7.5 (High)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-45391",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-03T20:23:50.587749Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-03T20:23:59.611Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "tinacms",
"vendor": "tinacms",
"versions": [
{
"status": "affected",
"version": "\u003c 1.6.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Tina is an open-source content management system (CMS). Sites building with Tina CMS\u0027s command line interface (CLI) prior to version 1.6.2 that use a search token may be vulnerable to the search token being leaked via lock file (tina-lock.json). Administrators of Tina-enabled websites with search setup should rotate their key immediately. This issue has been patched in @tinacms/cli version 1.6.2. Upgrading and rotating the search token is required for the proper fix."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-03T19:43:07.417Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/tinacms/tinacms/security/advisories/GHSA-4qrm-9h4r-v2fx",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/tinacms/tinacms/security/advisories/GHSA-4qrm-9h4r-v2fx"
},
{
"name": "https://github.com/tinacms/tinacms/pull/4758",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/tinacms/tinacms/pull/4758"
},
{
"name": "https://github.com/tinacms/tinacms/commit/110f1ceea4574d636a64526648f7c8bf6539b26a",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/tinacms/tinacms/commit/110f1ceea4574d636a64526648f7c8bf6539b26a"
}
],
"source": {
"advisory": "GHSA-4qrm-9h4r-v2fx",
"discovery": "UNKNOWN"
},
"title": "Tina search token leak via lock file in TinaCMS"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-45391",
"datePublished": "2024-09-03T19:43:07.417Z",
"dateReserved": "2024-08-28T20:21:32.801Z",
"dateUpdated": "2024-09-03T20:23:59.611Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-25164 (GCVE-0-2023-25164)
Vulnerability from cvelistv5 – Published: 2023-02-08 19:26 – Updated: 2025-03-10 21:14
VLAI?
Title
Sensitive Information leak via Script File in TinaCMS
Summary
Tinacms is a Git-backed headless content management system with support for visual editing. Sites being built with @tinacms/cli >= 1.0.0 && < 1.0.9 which store sensitive values in the process.env variable are impacted. These values will be added in plaintext to the index.js file. If you're on a version prior to 1.0.0 this vulnerability does not affect you. If you are affected and your Tina-enabled website has sensitive credentials stored as environment variables (eg. Algolia API keys) you should rotate those keys immediately. This issue has been patched in @tinacms/cli@1.0.9. Users are advised to upgrade. There are no known workarounds for this issue.
Severity ?
8.6 (High)
CWE
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T11:18:35.665Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/tinacms/tinacms/security/advisories/GHSA-pc2q-jcxq-rjrr",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/tinacms/tinacms/security/advisories/GHSA-pc2q-jcxq-rjrr"
},
{
"name": "https://github.com/tinacms/tinacms/pull/3584",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/tinacms/tinacms/pull/3584"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-25164",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-10T20:58:57.760663Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-10T21:14:46.127Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "tinacms",
"vendor": "tinacms",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.0.0, \u003c 1.0.9"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Tinacms is a Git-backed headless content management system with support for visual editing. Sites being built with @tinacms/cli \u003e= 1.0.0 \u0026\u0026 \u003c 1.0.9 which store sensitive values in the process.env variable are impacted. These values will be added in plaintext to the index.js file. If you\u0027re on a version prior to 1.0.0 this vulnerability does not affect you. If you are affected and your Tina-enabled website has sensitive credentials stored as environment variables (eg. Algolia API keys) you should rotate those keys immediately. This issue has been patched in @tinacms/cli@1.0.9. Users are advised to upgrade. There are no known workarounds for this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-532",
"description": "CWE-532: Insertion of Sensitive Information into Log File",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-02-08T19:26:18.956Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/tinacms/tinacms/security/advisories/GHSA-pc2q-jcxq-rjrr",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/tinacms/tinacms/security/advisories/GHSA-pc2q-jcxq-rjrr"
},
{
"name": "https://github.com/tinacms/tinacms/pull/3584",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/tinacms/tinacms/pull/3584"
}
],
"source": {
"advisory": "GHSA-pc2q-jcxq-rjrr",
"discovery": "UNKNOWN"
},
"title": "Sensitive Information leak via Script File in TinaCMS"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-25164",
"datePublished": "2023-02-08T19:26:18.956Z",
"dateReserved": "2023-02-03T16:59:18.245Z",
"dateUpdated": "2025-03-10T21:14:46.127Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}