CVE-2026-29066
published 2026-03-12CVE-2026-29066: Tina is a headless content management system. Prior to 2.1.8, the TinaCMS CLI dev server configures Vite with server.fs.strict: false, which disables Vite's…
PriorityP344medium6.2CVSS 3.1
AVLACLPRNUINSUCHINAN
EXPLOIT
EPSS
1.03%
59.2th percentile
Tina is a headless content management system. Prior to 2.1.8, the TinaCMS CLI dev server configures Vite with server.fs.strict: false, which disables Vite's built-in filesystem access restriction. This allows any unauthenticated attacker who can reach the dev server to read arbitrary files on the host system. This vulnerability is fixed in 2.1.8.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ssw | tinacms_cli | < 2.1.8 | 2.1.8 |
| tinacms | cli | < 2.1.8 | 2.1.8 |
| tinacms | cli | >= 0 < 2.1.8 | 2.1.8 |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
TinaCMS CLI has Arbitrary File Read via Disabled Vite Filesystem Restriction
osv·2026-03-12
CVE-2026-29066 [MEDIUM] TinaCMS CLI has Arbitrary File Read via Disabled Vite Filesystem Restriction
TinaCMS CLI has Arbitrary File Read via Disabled Vite Filesystem Restriction
## Summary
The TinaCMS CLI dev server configures Vite with `server.fs.strict: false`, which disables Vite's built-in filesystem access restriction. This allows any unauthenticated attacker who can reach the dev server to read arbitrary files on the host system
## Details
When running `tinacms dev`, the CLI starts a Vite dev server configured in:
`packages/@tinacms/cli/src/next/vite/index.ts`
```
server: {
host: configManager.config?.build?.host ?? false,
...
fs: {
strict: false, // Disables Vite's filesystem access restriction
},
},
```
TinaCMS middleware only intercepts specific route prefixes (/media/*, /graphql, /altair, /searchIndex). Any request to a path outside these routes falls through to Vite's default
GHSA
TinaCMS CLI has Arbitrary File Read via Disabled Vite Filesystem Restriction
ghsa·2026-03-12
CVE-2026-29066 [MEDIUM] CWE-200 TinaCMS CLI has Arbitrary File Read via Disabled Vite Filesystem Restriction
TinaCMS CLI has Arbitrary File Read via Disabled Vite Filesystem Restriction
## Summary
The TinaCMS CLI dev server configures Vite with `server.fs.strict: false`, which disables Vite's built-in filesystem access restriction. This allows any unauthenticated attacker who can reach the dev server to read arbitrary files on the host system
## Details
When running `tinacms dev`, the CLI starts a Vite dev server configured in:
`packages/@tinacms/cli/src/next/vite/index.ts`
```
server: {
host: configManager.config?.build?.host ?? false,
...
fs: {
strict: false, // Disables Vite's filesystem access restriction
},
},
```
TinaCMS middleware only intercepts specific route prefixes (/media/*, /graphql, /altair, /searchIndex). Any request to a path outside these routes falls through to Vite's default
No detection rules found.
Nuclei
TinaCMS - Path Traversal
nuclei·CVSS 6.2
CVE-2026-29066 [MEDIUM] TinaCMS - Path Traversal
TinaCMS - Path Traversal
TinaCMS CLI < 2.1.8 contains a file system read vulnerability caused by disabled Vite server.fs.strict setting, letting unauthenticated attackers read arbitrary files on the host system, exploit requires access to the dev server.
Template:
id: CVE-2026-29066
info:
name: TinaCMS - Path Traversal
author: theamanrawat
severity: medium
description: |
TinaCMS CLI < 2.1.8 contains a file system read vulnerability caused by disabled Vite server.fs.strict setting, letting unauthenticated attackers read arbitrary files on the host system, exploit requires access to the dev server.
impact: |
Unauthenticated attackers can read arbitrary files on the host system, potentially exposing sensitive information.
remediation: |
Update to version 2.1.8 or later.
reference:
- https
2026-03-12
Published