Tinacms Cli vulnerabilities

CVE-2026-28792 [CRITICAL] CWE-22 CVE-2026-28792: Tina is a headless content management system. Prior to 2.1.8 , the TinaCMS CLI dev server combines a Tina is a headless content management system. Prior to 2.1.8 , the TinaCMS CLI dev server combines a permissive CORS configuration (Access-Control-Allow-Origin: *) with the path traversal vulnerability (previously reported) to enable a browser-based drive-by attack. A remote attacker can enumerate the filesystem, write arbitrary files, and delete a

CVE-2026-28793 [HIGH] CWE-22 CVE-2026-28793: Tina is a headless content management system. Prior to 2.1.8, the TinaCMS CLI development server exp Tina is a headless content management system. Prior to 2.1.8, the TinaCMS CLI development server exposes media endpoints that are vulnerable to path traversal, allowing attackers to read and write arbitrary files on the filesystem outside the intended media directory. When running tinacms dev, the CLI starts a local HTTP server (default port 4001) expo

CVE-2026-29066 [MEDIUM] CWE-200 CVE-2026-29066: Tina is a headless content management system. Prior to 2.1.8, the TinaCMS CLI dev server configures Tina is a headless content management system. Prior to 2.1.8, the TinaCMS CLI dev server configures Vite with server.fs.strict: false, which disables Vite's built-in filesystem access restriction. This allows any unauthenticated attacker who can reach the dev server to read arbitrary files on the host system. This vulnerability is fixed in 2.1.8.

CVE-2025-68278 [HIGH] CWE-94 tinacms is vulnerable to arbitrary code execution tinacms is vulnerable to arbitrary code execution ### Summary ```tinacms``` uses the ```gray-matter``` package in an insecure way allowing attackers that can control the content of the processed markdown files, e.g., blog posts, to execute arbitrary code. ### Details The ```gray-matter``` package executes by default the code in the markdown file's front matter. ```tinacms``` does not change this behavior when proces

CVE-2024-45391 [HIGH] CWE-200 Tina search token leak via lock file in TinaCMS Tina search token leak via lock file in TinaCMS ### Impact Tina search token leaked via lock file (tina-lock.json) in TinaCMS. Sites building with @tinacms/cli < 1.6.2 that use a search token are impacted. If your Tina-enabled website has search setup, you should rotate that key immediately. ### Patches This issue has been patched in @tinacms/[email protected] ### Workarounds Upgrading, and rotating search token is require

CVE-2023-25164 [HIGH] CWE-200 Sensitive Information leak via Script File in TinaCMS Sensitive Information leak via Script File in TinaCMS ### Impact Sensitive Information leaked via script File in TinaCMS. Sites building with @tinacms/cli >= 1.0.0 && < 1.0.9 that store sensitive values in process.env var are impacted. If you're on a version prior to 1.0.0 this vulnerability does not affect you. If your Tina-enabled website has sensitive credentials stored as environment variables (eg. Algolia