tinacms

13 known vulnerabilities · 0 critical · 4 high

tinacms is vulnerable to arbitrary code execution

Published Dec 18, 2025

Tina: Path Traversal in Media Upload Handle

Published Mar 12, 2026

GHSA-2vcc-5v34-9jc8

TinaCMS rich-text (slatejson) rendering does not sanitize link/image URLs, allowing stored XSS via dangerous URL schemes

Published Jun 18, 2026

GHSA-g5qx-h5f3-mp2f

TinaCMS: Cross-origin postMessage handlers and rich-text URL-sanitization bypass enable stored XSS and session takeover

Published Jun 19, 2026

TinaCMS CLI Dev Server Vulnerable to Cross-Origin File Exfiltration via CORS Misconfiguration + Path Traversal in TinaCMS

Published Mar 12, 2026

@tinacms/graphql has a Path Traversal issue

Published Mar 12, 2026

TinaCMS Vulnerable to Path Traversal Leading to Arbitrary File Read, Write and Delete

Published Mar 12, 2026

Sensitive Information leak via Script File in TinaCMS

Published Feb 8, 2023

Risk: 35.52/100

@tinacms/graphql's Media Endpoints Can Escape the Media Root via Symlinks or Junctions

Published Apr 1, 2026

Risk: 35.52/100

@tinacms/graphql's `FilesystemBridge` Path Validation Can Be Bypassed via Symlinks or Junctions

Published Apr 1, 2026

TinaCMS CLI has Arbitrary File Read via Disabled Vite Filesystem Restriction

Published Mar 12, 2026

Risk: 40.54/100

@tinacms/graphql has Path Traversal that leads to overwrite of arbitrary files

Published Mar 30, 2026

GHSA-4936-9hrh-qqpw

@tinacms/cli: Remote Code Execution in @tinacms/cli via Forestry migration — unsanitised __TINA_INTERNAL__ marker in user-controlled YAML labels

Published Jun 19, 2026

Check your entire dependency tree at onceRun dependency scan →