Moderate severityNVD Advisory· Published Mar 12, 2026· Updated Mar 13, 2026
Arbitrary File Read via Disabled Vite Filesystem Restriction in TinaCMS CLI
CVE-2026-29066
Description
Tina is a headless content management system. Prior to 2.1.8, the TinaCMS CLI dev server configures Vite with server.fs.strict: false, which disables Vite's built-in filesystem access restriction. This allows any unauthenticated attacker who can reach the dev server to read arbitrary files on the host system. This vulnerability is fixed in 2.1.8.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@tinacms/clinpm | < 2.1.8 | 2.1.8 |
Affected products
2- @tinacms/cliv5Range: < 2.1.8
Patches
Vulnerability mechanics
References
3- github.com/advisories/GHSA-m48g-4wr2-j2h6ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-29066ghsaADVISORY
- github.com/tinacms/tinacms/security/advisories/GHSA-m48g-4wr2-j2h6ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.