Search for packages
| purl | pkg:npm/tinacms@2.2.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-czz4-ta7z-xqfy
Aliases: CVE-2025-68278 GHSA-529f-9qwm-9628 |
tinacms is vulnerable to arbitrary code execution ```tinacms``` uses the ```gray-matter``` package in an insecure way allowing attackers that can control the content of the processed markdown files, e.g., blog posts, to execute arbitrary code. |
Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-6mwj-3aap-ffcr | Tina: Path Traversal in Media Upload Handle A **path traversal vulnerability (CWE-22)** exists in the TinaCMS development server's media upload handler. The code at `media.ts:42-43` joins user-controlled path segments using `path.join()` without validating that the resulting path stays within the intended media directory. This allows writing files to arbitrary locations on the filesystem. **Attack Vector**: Network (HTTP POST request) **Impact**: Arbitrary file write, potential Remote Code Execution --- |
CVE-2026-28791
GHSA-5hxf-c7j4-279c |
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2026-06-06T07:20:27.847815+00:00 | GitLab Importer | Fixing | VCID-6mwj-3aap-ffcr | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/tinacms/CVE-2026-28791.yml | 38.6.0 |
| 2026-06-06T06:32:42.723297+00:00 | GitLab Importer | Affected by | VCID-czz4-ta7z-xqfy | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/tinacms/CVE-2025-68278.yml | 38.6.0 |