VYPR
Moderate severityNVD Advisory· Published Mar 12, 2026· Updated Mar 13, 2026

Arbitrary File Read via Disabled Vite Filesystem Restriction in TinaCMS CLI

CVE-2026-29066

Description

Tina is a headless content management system. Prior to 2.1.8, the TinaCMS CLI dev server configures Vite with server.fs.strict: false, which disables Vite's built-in filesystem access restriction. This allows any unauthenticated attacker who can reach the dev server to read arbitrary files on the host system. This vulnerability is fixed in 2.1.8.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
@tinacms/clinpm
< 2.1.82.1.8

Affected products

2

Patches

Vulnerability mechanics

References

3

News mentions

0

No linked articles in our index yet.