CVE-2025-68278Code Injection in Tinacms

CWE-94Code Injection5 documents5 sources
Severity
7.3HIGHNVD
EPSS
0.1%
top 78.28%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
6
SSW TinacmsSSW Tinacms CLISSW Tinacms Graphql+3 more
Timeline
PublishedDec 18

Description

Tina is a headless content management system. In tinacms prior to version 3.1.1, tinacms uses the gray-matter package in an insecure way allowing attackers that can control the content of the processed markdown files, e.g., blog posts, to execute arbitrary code. tinacms version 3.1.1, @tinacms/cli version 2.0.4, and @tinacms/graphql version 2.0.3 contain a fix for the issue.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected Packages7 packages

npmtinacms/graphql< 2.0.3
NVDssw/tinacms_graphql< 2.0.3
NVDssw/tinacms< 3.1.1
npmtinacms/cli< 2.0.4
NVDssw/tinacms_cli< 2.0.4

Patches

Patch: github.com

🔴Vulnerability Details

3
GHSA
tinacms is vulnerable to arbitrary code execution2025-12-18
CVEList
tinacms vulnerable to arbitrary code execution2025-12-18
OSV
tinacms is vulnerable to arbitrary code execution2025-12-18

🕵️Threat Intelligence

1
Wiz
CVE-2025-68278 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2025-68278 — Code Injection in SSW Tinacms | cvebase