cbcvebase.
CVE-2026-29066
published 2026-03-12

CVE-2026-29066: Tina is a headless content management system. Prior to 2.1.8, the TinaCMS CLI dev server configures Vite with server.fs.strict: false, which disables Vite's…

PriorityP344medium6.2CVSS 3.1
AVLACLPRNUINSUCHINAN
EXPLOIT
EPSS
1.03%
59.2th percentile
Tina is a headless content management system. Prior to 2.1.8, the TinaCMS CLI dev server configures Vite with server.fs.strict: false, which disables Vite's built-in filesystem access restriction. This allows any unauthenticated attacker who can reach the dev server to read arbitrary files on the host system. This vulnerability is fixed in 2.1.8.

Affected

3 ranges
VendorProductVersion rangeFixed in
sswtinacms_cli< 2.1.82.1.8
tinacmscli< 2.1.82.1.8
tinacmscli>= 0 < 2.1.82.1.8
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.