CVE-2026-54074
published 2026-06-19CVE-2026-54074: @tinacms/cli: Remote Code Execution in @tinacms/cli via Forestry migration — unsanitised __TINA_INTERNAL__ marker in user-controlled YAML labels ## Description…
high
@tinacms/cli: Remote Code Execution in @tinacms/cli via Forestry migration — unsanitised __TINA_INTERNAL__ marker in user-controlled YAML labels
## Description
### Summary
`@tinacms/cli` contains a Remote Code Execution vulnerability in its
Forestry-to-Tina migration command. The internal helper `addVariablesToCode`
unquotes any value matching the marker `"__TINA_INTERNAL__:::(.*?):::"`
inside the stringified collection JSON. User-supplied `label` and `name`
fields from `.forestry/**/*.yml` are placed into that JSON without any
sanitisation. An attacker who controls a Forestry-style project can therefore
inject arbitrary JavaScript into the generated `tina/templates.{ts,js}`
file. The injected code is written at module top level, so it executes
**the moment the developer runs `tinacms dev` or `tinacms build`**, with the
developer's privileges.
### Details
**Vulnerable code path:**
1. `packages/@tinacms/cli/src/cmds/forestry-migrate/util/index.ts`
— `transformForestryFieldsToTinaFields()` writes `forestryField.label`
(and `.name`) straight into TinaField objects (no sanitisation).
2. `packages/@tinacms/cli/src/cmds/forestry-migrate/util/codeTransformer.ts`,
lines 16-22 — the regex-based unquoter:
```ts
export const addVariablesToCode = (codeWithTinaPrefix: string) => {
const code = codeWithTinaPrefix.replace(
/"__TINA_INTERNAL__:::(.*?):::"/g,
'$1'
);
return { code };
};
```
3. `codeTransformer.ts` lines 80-88 — the field array is
`JSON.stringify`-ed and then handed to `addVariablesToCode`. Because
`JSON.stringify` does **not** escape single quotes or backticks, an
attacker who avoids `"` in the payload survives the JSON pass intact.
4. `packages/@tinacms/cli/src/cmds/init/apply.ts` lines 110-116 — the
resulting string is written to `tina/templates.{ts,js}` and imported by
the generated `tina/config.{ts,js}`, which `tinacms dev` evaluates.
**Why it executes immediately:** the regex unquoting allows the attacker's
payload to *close the surrounding object/arraAffected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| tinacms | cli | >= 0 < 2.4.3 | 2.4.3 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-06-19
Published