VYPR

npm package

@tinacms/cli

pkg:npm/%40tinacms/cli

Vulnerabilities (6)

  • CVE-2026-29066Mar 12, 2026
    affected < 2.1.8fixed 2.1.8

    Tina is a headless content management system. Prior to 2.1.8, the TinaCMS CLI dev server configures Vite with server.fs.strict: false, which disables Vite's built-in filesystem access restriction. This allows any unauthenticated attacker who can reach the dev server to read arbit

  • CVE-2026-28793Mar 12, 2026
    affected < 2.1.8fixed 2.1.8

    Tina is a headless content management system. Prior to 2.1.8, the TinaCMS CLI development server exposes media endpoints that are vulnerable to path traversal, allowing attackers to read and write arbitrary files on the filesystem outside the intended media directory. When runnin

  • CVE-2026-28792Mar 12, 2026
    affected < 2.1.8fixed 2.1.8

    Tina is a headless content management system. Prior to 2.1.8 , the TinaCMS CLI dev server combines a permissive CORS configuration (Access-Control-Allow-Origin: *) with the path traversal vulnerability (previously reported) to enable a browser-based drive-by attack. A remote atta

  • CVE-2025-68278HigDec 18, 2025
    affected < 2.0.4fixed 2.0.4

    Tina is a headless content management system. In tinacms prior to version 3.1.1, tinacms uses the gray-matter package in an insecure way allowing attackers that can control the content of the processed markdown files, e.g., blog posts, to execute arbitrary code. tinacms version 3

  • CVE-2024-45391Sep 3, 2024
    affected < 1.6.2fixed 1.6.2

    Tina is an open-source content management system (CMS). Sites building with Tina CMS's command line interface (CLI) prior to version 1.6.2 that use a search token may be vulnerable to the search token being leaked via lock file (tina-lock.json). Administrators of Tina-enabled web

  • CVE-2023-25164Feb 8, 2023
    affected >= 1.0.0, < 1.0.9fixed 1.0.9

    Tinacms is a Git-backed headless content management system with support for visual editing. Sites being built with @tinacms/cli >= 1.0.0 && < 1.0.9 which store sensitive values in the process.env variable are impacted. These values will be added in plaintext to the index.js file.