npm package
@tinacms/cli
pkg:npm/%40tinacms/cli
Vulnerabilities (6)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-29066 | — | < 2.1.8 | 2.1.8 | Mar 12, 2026 | Tina is a headless content management system. Prior to 2.1.8, the TinaCMS CLI dev server configures Vite with server.fs.strict: false, which disables Vite's built-in filesystem access restriction. This allows any unauthenticated attacker who can reach the dev server to read arbit | ||
| CVE-2026-28793 | — | < 2.1.8 | 2.1.8 | Mar 12, 2026 | Tina is a headless content management system. Prior to 2.1.8, the TinaCMS CLI development server exposes media endpoints that are vulnerable to path traversal, allowing attackers to read and write arbitrary files on the filesystem outside the intended media directory. When runnin | ||
| CVE-2026-28792 | — | < 2.1.8 | 2.1.8 | Mar 12, 2026 | Tina is a headless content management system. Prior to 2.1.8 , the TinaCMS CLI dev server combines a permissive CORS configuration (Access-Control-Allow-Origin: *) with the path traversal vulnerability (previously reported) to enable a browser-based drive-by attack. A remote atta | ||
| CVE-2025-68278 | Hig | 8.8 | < 2.0.4 | 2.0.4 | Dec 18, 2025 | Tina is a headless content management system. In tinacms prior to version 3.1.1, tinacms uses the gray-matter package in an insecure way allowing attackers that can control the content of the processed markdown files, e.g., blog posts, to execute arbitrary code. tinacms version 3 | |
| CVE-2024-45391 | — | < 1.6.2 | 1.6.2 | Sep 3, 2024 | Tina is an open-source content management system (CMS). Sites building with Tina CMS's command line interface (CLI) prior to version 1.6.2 that use a search token may be vulnerable to the search token being leaked via lock file (tina-lock.json). Administrators of Tina-enabled web | ||
| CVE-2023-25164 | — | >= 1.0.0, < 1.0.9 | 1.0.9 | Feb 8, 2023 | Tinacms is a Git-backed headless content management system with support for visual editing. Sites being built with @tinacms/cli >= 1.0.0 && < 1.0.9 which store sensitive values in the process.env variable are impacted. These values will be added in plaintext to the index.js file. |
- CVE-2026-29066Mar 12, 2026affected < 2.1.8fixed 2.1.8
Tina is a headless content management system. Prior to 2.1.8, the TinaCMS CLI dev server configures Vite with server.fs.strict: false, which disables Vite's built-in filesystem access restriction. This allows any unauthenticated attacker who can reach the dev server to read arbit
- CVE-2026-28793Mar 12, 2026affected < 2.1.8fixed 2.1.8
Tina is a headless content management system. Prior to 2.1.8, the TinaCMS CLI development server exposes media endpoints that are vulnerable to path traversal, allowing attackers to read and write arbitrary files on the filesystem outside the intended media directory. When runnin
- CVE-2026-28792Mar 12, 2026affected < 2.1.8fixed 2.1.8
Tina is a headless content management system. Prior to 2.1.8 , the TinaCMS CLI dev server combines a permissive CORS configuration (Access-Control-Allow-Origin: *) with the path traversal vulnerability (previously reported) to enable a browser-based drive-by attack. A remote atta
- affected < 2.0.4fixed 2.0.4
Tina is a headless content management system. In tinacms prior to version 3.1.1, tinacms uses the gray-matter package in an insecure way allowing attackers that can control the content of the processed markdown files, e.g., blog posts, to execute arbitrary code. tinacms version 3
- CVE-2024-45391Sep 3, 2024affected < 1.6.2fixed 1.6.2
Tina is an open-source content management system (CMS). Sites building with Tina CMS's command line interface (CLI) prior to version 1.6.2 that use a search token may be vulnerable to the search token being leaked via lock file (tina-lock.json). Administrators of Tina-enabled web
- CVE-2023-25164Feb 8, 2023affected >= 1.0.0, < 1.0.9fixed 1.0.9
Tinacms is a Git-backed headless content management system with support for visual editing. Sites being built with @tinacms/cli >= 1.0.0 && < 1.0.9 which store sensitive values in the process.env variable are impacted. These values will be added in plaintext to the index.js file.