Ssw Tinacms Cli vulnerabilities

CVE-2026-34603 [HIGH] CWE-22 CVE-2026-34603: Tina is a headless content management system. Prior to version 2.2.2, @tinacms/cli recently added le Tina is a headless content management system. Prior to version 2.2.2, @tinacms/cli recently added lexical path-traversal checks to the dev media routes, but the implementation still validates only the path string and does not resolve symlink or junction targets. If a link already exists under the media root, Tina accepts a path like pivot/written-from-

CVE-2026-28792 [CRITICAL] CWE-22 CVE-2026-28792: Tina is a headless content management system. Prior to 2.1.8 , the TinaCMS CLI dev server combines a Tina is a headless content management system. Prior to 2.1.8 , the TinaCMS CLI dev server combines a permissive CORS configuration (Access-Control-Allow-Origin: *) with the path traversal vulnerability (previously reported) to enable a browser-based drive-by attack. A remote attacker can enumerate the filesystem, write arbitrary files, and delete a

CVE-2026-28793 [HIGH] CWE-22 CVE-2026-28793: Tina is a headless content management system. Prior to 2.1.8, the TinaCMS CLI development server exp Tina is a headless content management system. Prior to 2.1.8, the TinaCMS CLI development server exposes media endpoints that are vulnerable to path traversal, allowing attackers to read and write arbitrary files on the filesystem outside the intended media directory. When running tinacms dev, the CLI starts a local HTTP server (default port 4001) expo

CVE-2026-28791 [HIGH] CWE-22 CVE-2026-28791: Tina is a headless content management system. Prior to 2.1.7, a path traversal vulnerability exists Tina is a headless content management system. Prior to 2.1.7, a path traversal vulnerability exists in the TinaCMS development server's media upload handler. The code at media.ts joins user-controlled path segments using path.join() without validating that the resulting path stays within the intended media directory. This allows writing files to arbitra

CVE-2026-29066 [MEDIUM] CWE-200 CVE-2026-29066: Tina is a headless content management system. Prior to 2.1.8, the TinaCMS CLI dev server configures Tina is a headless content management system. Prior to 2.1.8, the TinaCMS CLI dev server configures Vite with server.fs.strict: false, which disables Vite's built-in filesystem access restriction. This allows any unauthenticated attacker who can reach the dev server to read arbitrary files on the host system. This vulnerability is fixed in 2.1.8.

CVE-2025-68278 [HIGH] CWE-94 CVE-2025-68278: Tina is a headless content management system. In tinacms prior to version 3.1.1, tinacms uses the gr Tina is a headless content management system. In tinacms prior to version 3.1.1, tinacms uses the gray-matter package in an insecure way allowing attackers that can control the content of the processed markdown files, e.g., blog posts, to execute arbitrary code. tinacms version 3.1.1, @tinacms/cli version 2.0.4, and @tinacms/graphql version 2.0.3 conta

CVE-2024-45391 [HIGH] CWE-200 CVE-2024-45391: Tina is an open-source content management system (CMS). Sites building with Tina CMS's command line Tina is an open-source content management system (CMS). Sites building with Tina CMS's command line interface (CLI) prior to version 1.6.2 that use a search token may be vulnerable to the search token being leaked via lock file (tina-lock.json). Administrators of Tina-enabled websites with search setup should rotate their key immediately. This issue ha

CVE-2023-25164 [HIGH] CWE-200 CVE-2023-25164: Tinacms is a Git-backed headless content management system with support for visual editing. Sites be Tinacms is a Git-backed headless content management system with support for visual editing. Sites being built with @tinacms/cli >= 1.0.0 && < 1.0.9 which store sensitive values in the process.env variable are impacted. These values will be added in plaintext to the index.js file. If you're on a version prior to 1.0.0 this vulnerability does not affect