Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2026-29066Sensitive Information Exposure in CLI

CWE-200Sensitive Information ExposureCWE-552Files or Directories Accessible to External Parties6 documents6 sources
Severity
6.2MEDIUMNVD
EPSS
3.4%
top 12.53%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
2
Tinacms CLISSW Tinacms CLI
Timeline
PublishedMar 12

Description

Tina is a headless content management system. Prior to 2.1.8, the TinaCMS CLI dev server configures Vite with server.fs.strict: false, which disables Vite's built-in filesystem access restriction. This allows any unauthenticated attacker who can reach the dev server to read arbitrary files on the host system. This vulnerability is fixed in 2.1.8.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 2.5 | Impact: 3.6

Affected Packages3 packages

CVEListV5tinacms/cli< 2.1.8
npmtinacms/cli< 2.1.8
NVDssw/tinacms_cli< 2.1.8

🔴Vulnerability Details

3
CVEList
Arbitrary File Read via Disabled Vite Filesystem Restriction in TinaCMS CLI2026-03-12
OSV
TinaCMS CLI has Arbitrary File Read via Disabled Vite Filesystem Restriction2026-03-12
GHSA
TinaCMS CLI has Arbitrary File Read via Disabled Vite Filesystem Restriction2026-03-12

💥Exploits & PoCs

1
Nuclei
TinaCMS - Path Traversal

🕵️Threat Intelligence

1
Wiz
CVE-2026-29066 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2026-29066 — Sensitive Information Exposure in CLI | cvebase