CVE-2026-24125Path Traversal in Graphql

CWE-22Path Traversal5 documents5 sources
Severity
6.3MEDIUMNVD
EPSS
0.1%
top 76.29%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Tinacms GraphqlSSW Tinacms Graphql
Timeline
PublishedMar 12

Description

Tina is a headless content management system. Prior to 2.1.2, TinaCMS allows users to create, update, and delete content documents using relative file paths (relativePath, newRelativePath) via GraphQL mutations. Under certain conditions, these paths are combined with the collection path using path.join() without validating that the resolved path remains within the collection root directory. Because path.join() does not prevent directory traversal, paths containing ../ sequences can escape the in

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:LExploitability: 2.8 | Impact: 3.4

Affected Packages3 packages

CVEListV5tinacms/graphql< 2.1.2
npmtinacms/graphql< 2.1.2
NVDssw/tinacms_graphql< 2.1.2

🔴Vulnerability Details

3
GHSA
@tinacms/graphql has a Path Traversal issue2026-03-12
CVEList
Path Traversal in @tinacms/graphql2026-03-12
OSV
@tinacms/graphql has a Path Traversal issue2026-03-12

🕵️Threat Intelligence

1
Wiz
CVE-2026-24125 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2026-24125 — Path Traversal in Tinacms Graphql | cvebase