VYPR

npm package

tinacms

pkg:npm/tinacms

Vulnerabilities (2)

  • CVE-2026-28791Mar 12, 2026
    affected < 2.1.7fixed 2.1.7

    Tina is a headless content management system. Prior to 2.1.7, a path traversal vulnerability exists in the TinaCMS development server's media upload handler. The code at media.ts joins user-controlled path segments using path.join() without validating that the resulting path stay

  • CVE-2025-68278HigDec 18, 2025
    affected < 3.1.1fixed 3.1.1

    Tina is a headless content management system. In tinacms prior to version 3.1.1, tinacms uses the gray-matter package in an insecure way allowing attackers that can control the content of the processed markdown files, e.g., blog posts, to execute arbitrary code. tinacms version 3