CVE-2026-34604 — Path Traversal in Tinacms

CWE-22 — Path Traversal CWE-59 — Link Following CWE-1333 — Regex Denial of Service6 documents5 sources

Severity

8.8HIGHNVD

CNA7.1

EPSS

0.1%

top 76.92%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Tinacms Elysiajs Elysia Tinacms Graphql +1 more

Timeline

PublishedApr 1

Description

Tina is a headless content management system. Prior to version 2.2.2, @tinacms/graphql uses string-based path containment checks in FilesystemBridge. That blocks plain ../ traversal, but it does not resolve symlink or junction targets. If a symlink/junction already exists under the allowed content root, a path like content/posts/pivot/owned.md is still considered "inside" the base even though the real filesystem target can be outside it. As a result, FilesystemBridge.get(), put(), delete(), and …

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages4 packages

▶npmtinacms/graphql< 2.2.2

▶NVDssw/tinacms_graphql2.2.1

▶CVEListV5tinacms/tinacms< 2.2.2

▶npmelysiajs/elysia< 1.4.26

Patches

Patch: github.com ↗

🔴Vulnerability Details

OSV

@tinacms/graphql's `FilesystemBridge` Path Validation Can Be Bypassed via Symlinks or Junctions↗2026-04-01

▶

CVEList

@tinacms/graphql's `FilesystemBridge` Path Validation Can Be Bypassed via Symlinks or Junctions↗2026-04-01

▶

GHSA

@tinacms/graphql's `FilesystemBridge` Path Validation Can Be Bypassed via Symlinks or Junctions↗2026-04-01

▶

GHSA

Elysia has a string URL format ReDoS↗2026-03-10

▶

🕵️Threat Intelligence

Wiz

CVE-2026-34604 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶