VulnerableCode Package Details - pkg:npm/%40tinacms/cli@2.1.8

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-j5k4-p718-17e3	Tina is a headless content management system. Prior to 2.1.8, the TinaCMS CLI development server exposes media endpoints that are vulnerable to path traversal, allowing attackers to read and write arbitrary files on the filesystem outside the intended media directory. When running tinacms dev, the CLI starts a local HTTP server (default port 4001) exposing endpoints such as /media/list/, /media/upload/, and /media/*. These endpoints process user-controlled path segments using decodeURI() and path.join() without validating that the resolved path remains within the configured media directory. This vulnerability is fixed in 2.1.8.	CVE-2026-28793 GHSA-2f24-mg4x-534q
VCID-tcnd-bb71-z3hg	Tina is a headless content management system. Prior to 2.1.8 , the TinaCMS CLI dev server combines a permissive CORS configuration (Access-Control-Allow-Origin: *) with the path traversal vulnerability (previously reported) to enable a browser-based drive-by attack. A remote attacker can enumerate the filesystem, write arbitrary files, and delete arbitrary files on developer's machines by simply tricking them into visiting a malicious website while tinacms dev is running. This vulnerability is fixed in 2.1.8.	CVE-2026-28792 GHSA-8pw3-9m7f-q734
VCID-x7w5-kvqc-s7hw	Tina is a headless content management system. Prior to 2.1.8, the TinaCMS CLI dev server configures Vite with server.fs.strict: false, which disables Vite's built-in filesystem access restriction. This allows any unauthenticated attacker who can reach the dev server to read arbitrary files on the host system. This vulnerability is fixed in 2.1.8.	CVE-2026-29066 GHSA-m48g-4wr2-j2h6

Vulnerability

Summary

Aliases

VCID-j5k4-p718-17e3

Tina is a headless content management system. Prior to 2.1.8, the TinaCMS CLI development server exposes media endpoints that are vulnerable to path traversal, allowing attackers to read and write arbitrary files on the filesystem outside the intended media directory. When running tinacms dev, the CLI starts a local HTTP server (default port 4001) exposing endpoints such as /media/list/*, /media/upload/*, and /media/*. These endpoints process user-controlled path segments using decodeURI() and path.join() without validating that the resolved path remains within the configured media directory. This vulnerability is fixed in 2.1.8.

CVE-2026-28793
GHSA-2f24-mg4x-534q

VCID-tcnd-bb71-z3hg

Tina is a headless content management system. Prior to 2.1.8 , the TinaCMS CLI dev server combines a permissive CORS configuration (Access-Control-Allow-Origin: *) with the path traversal vulnerability (previously reported) to enable a browser-based drive-by attack. A remote attacker can enumerate the filesystem, write arbitrary files, and delete arbitrary files on developer's machines by simply tricking them into visiting a malicious website while tinacms dev is running. This vulnerability is fixed in 2.1.8.

CVE-2026-28792
GHSA-8pw3-9m7f-q734

VCID-x7w5-kvqc-s7hw

Tina is a headless content management system. Prior to 2.1.8, the TinaCMS CLI dev server configures Vite with server.fs.strict: false, which disables Vite's built-in filesystem access restriction. This allows any unauthenticated attacker who can reach the dev server to read arbitrary files on the host system. This vulnerability is fixed in 2.1.8.

CVE-2026-29066
GHSA-m48g-4wr2-j2h6

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-13T06:27:56.533132+00:00	GHSA Importer	Fixing	VCID-x7w5-kvqc-s7hw	https://github.com/advisories/GHSA-m48g-4wr2-j2h6	38.6.0
2026-06-13T06:27:56.503123+00:00	GHSA Importer	Fixing	VCID-j5k4-p718-17e3	https://github.com/advisories/GHSA-2f24-mg4x-534q	38.6.0
2026-06-13T06:27:56.460676+00:00	GHSA Importer	Fixing	VCID-tcnd-bb71-z3hg	https://github.com/advisories/GHSA-8pw3-9m7f-q734	38.6.0
2026-06-12T21:27:29.864765+00:00	GitLab Importer	Fixing	VCID-x7w5-kvqc-s7hw	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/@tinacms/cli/CVE-2026-29066.yml	38.6.0
2026-06-12T21:26:58.222014+00:00	GitLab Importer	Fixing	VCID-tcnd-bb71-z3hg	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/@tinacms/cli/CVE-2026-28792.yml	38.6.0
2026-06-12T21:25:56.979320+00:00	GitLab Importer	Fixing	VCID-j5k4-p718-17e3	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/@tinacms/cli/CVE-2026-28793.yml	38.6.0
2026-06-12T07:50:12.791327+00:00	GithubOSV Importer	Fixing	VCID-j5k4-p718-17e3	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-2f24-mg4x-534q/GHSA-2f24-mg4x-534q.json	38.6.0
2026-06-12T07:49:14.240429+00:00	GithubOSV Importer	Fixing	VCID-x7w5-kvqc-s7hw	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-m48g-4wr2-j2h6/GHSA-m48g-4wr2-j2h6.json	38.6.0
2026-06-12T07:49:05.988512+00:00	GithubOSV Importer	Fixing	VCID-tcnd-bb71-z3hg	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-8pw3-9m7f-q734/GHSA-8pw3-9m7f-q734.json	38.6.0