VYPR
Vendor

Ssw

Products
2
CVEs
5
Across products
6
Status
Private

Products

2

Recent CVEs

5
  • CVE-2026-33949HigApr 1, 2026
    risk 0.53cvss 8.1epss 0.00

    Tina is a headless content management system. Prior to version 2.2.2, a path traversal vulnerability in @tinacms/graphql allows unauthenticated users to write and overwrite arbitrary files within the project root. This is achieved by manipulating the relativePath parameter in…

  • CVE-2025-68278HigDec 18, 2025
    risk 0.50cvss 8.8epss 0.00

    Tina is a headless content management system. In tinacms prior to version 3.1.1, tinacms uses the gray-matter package in an insecure way allowing attackers that can control the content of the processed markdown files, e.g., blog posts, to execute arbitrary code. tinacms version…

  • CVE-2026-34604HigApr 1, 2026
    risk 0.39cvss 7.1epss 0.00

    Tina is a headless content management system. Prior to version 2.2.2, @tinacms/graphql uses string-based path containment checks in FilesystemBridge. That blocks plain ../ traversal, but it does not resolve symlink or junction targets. If a symlink/junction already exists under…

  • CVE-2026-34603HigApr 1, 2026
    risk 0.39cvss 7.1epss 0.00

    Tina is a headless content management system. Prior to version 2.2.2, @tinacms/cli recently added lexical path-traversal checks to the dev media routes, but the implementation still validates only the path string and does not resolve symlink or junction targets. If a link…

  • CVE-2026-55660higJun 19, 2026
    risk 0.38cvss epss

    TinaCMS registers window message listeners — the useTina overlay handler, the OAuth authentication popup handler, and the admin↔preview iframe GraphQL reducer — that act on event.data without verifying event.origin or event.source, and post messages using non-specific…