Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/1002727?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/1002727?format=api", "purl": "pkg:npm/%40tinacms/graphql@0.0.0-5cd6fb7-20260324232807", "type": "npm", "namespace": "@tinacms", "name": "graphql", "version": "0.0.0-5cd6fb7-20260324232807", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "2.2.2", "latest_non_vulnerable_version": "2.2.2", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/90112?format=api", "vulnerability_id": "VCID-n113-nq2s-5yg3", "summary": "@tinacms/graphql's Media Endpoints Can Escape the Media Root via Symlinks or Junctions\n## Summary\n\n`@tinacms/cli` recently added lexical path-traversal checks to the dev media routes, but the implementation still validates only the path string and does not resolve symlink or junction targets.\n\nIf a link already exists under the media root, Tina accepts a path like `pivot/written-from-media.txt` as \"inside\" the media directory and then performs real filesystem operations through that link target. This allows out-of-root media listing and write access, and the same root cause also affects delete.\n\n## Details\n\nThe dev media handlers validate user-controlled paths with:\n\n```ts\nfunction resolveWithinBase(userPath: string, baseDir: string): string {\n const resolvedBase = path.resolve(baseDir);\n const resolved = path.resolve(path.join(baseDir, userPath));\n if (resolved === resolvedBase) {\n return resolvedBase;\n }\n if (resolved.startsWith(resolvedBase + path.sep)) {\n return resolved;\n }\n throw new PathTraversalError(userPath);\n}\n\nfunction resolveStrictlyWithinBase(userPath: string, baseDir: string): string {\n const resolvedBase = path.resolve(baseDir) + path.sep;\n const resolved = path.resolve(path.join(baseDir, userPath));\n if (!resolved.startsWith(resolvedBase)) {\n throw new PathTraversalError(userPath);\n }\n return resolved;\n}\n```\n\nBut the validated path is then used directly for real filesystem access:\n\n```ts\nfilesStr = await fs.readdir(validatedPath);\n...\nawait fs.ensureDir(path.dirname(saveTo));\nfile.pipe(fs.createWriteStream(saveTo));\n...\nawait fs.remove(file);\n```\n\nThis does not account for symlinks/junctions already present below the media root. A path such as `pivot/secret.txt` can be lexically inside the media directory while the filesystem target is outside it.\n\n## Local Reproduction\n\nI verified this locally with a real junction on Windows.\n\nTest layout:\n\n- media root: `D:\\bugcrowd\\tinacms\\temp\\junction-repro4\\public\\uploads`\n- junction under media root: `public\\uploads\\pivot -> D:\\bugcrowd\\tinacms\\temp\\junction-repro4\\outside`\n- file outside the media root: `outside\\secret.txt`\n\nTina's current media-path validation logic was applied and used to perform the same list/write operations the route handlers use.\n\nObserved result:\n\n```json\n{\n \"media\": {\n \"base\": \"D:\\\\bugcrowd\\\\tinacms\\\\temp\\\\junction-repro4\\\\public\\\\uploads\",\n \"resolvedListPath\": \"D:\\\\bugcrowd\\\\tinacms\\\\temp\\\\junction-repro4\\\\public\\\\uploads\\\\pivot\",\n \"listedEntries\": [\n \"secret.txt\"\n ],\n \"resolvedWritePath\": \"D:\\\\bugcrowd\\\\tinacms\\\\temp\\\\junction-repro4\\\\public\\\\uploads\\\\pivot\\\\written-from-media.txt\",\n \"outsideWriteExists\": true,\n \"outsideWriteContents\": \"MEDIA_ESCAPE\"\n }\n}\n```\n\nThis shows the problem clearly:\n\n- the path validator accepted `pivot`\n- listing revealed a file from outside the media root\n- writing to `pivot/written-from-media.txt` created `outside\\written-from-media.txt`\n\nThe delete path uses the same flawed containment model and should be hardened at the same time.\n\n## Impact\n\n- **Out-of-root file listing** via `/media/list/...`\n- **Out-of-root file write** via `/media/upload/...`\n- **Likely out-of-root file delete** via `/media/...` `DELETE`, using the same path-validation gap\n- **Bypass of the recent path traversal hardening** for any deployment whose media tree contains a link to another location\n\nThis is especially relevant in development and self-hosted workflows where the media directory may contain symlinks or junctions intentionally or via repository content.\n\n## Recommended Fix\n\nHarden media path validation with canonical filesystem checks:\n\n1. resolve the real base path with `fs.realpath()`\n2. resolve the real target path, or for writes the nearest existing parent\n3. compare canonical paths rather than lexical strings\n4. reject any operation that traverses through a symlink/junction to leave the real media root\n\n`path.resolve(...).startsWith(...)` is not sufficient for filesystem security on linked paths.\n\n## Resources\n\n- `packages/@tinacms/cli/src/next/commands/dev-command/server/media.ts`\n- `packages/@tinacms/cli/src/server/models/media.ts`\n- `packages/@tinacms/cli/src/utils/path.ts`", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34603", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00087", "scoring_system": "epss", "scoring_elements": "0.25021", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00087", "scoring_system": "epss", "scoring_elements": "0.25033", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00087", "scoring_system": "epss", "scoring_elements": "0.24968", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00101", "scoring_system": "epss", "scoring_elements": "0.27314", "published_at": "2026-06-09T12:55:00Z" }, { "value": "0.00101", "scoring_system": "epss", "scoring_elements": "0.27305", "published_at": "2026-06-08T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34603" }, { "reference_url": "https://github.com/tinacms/tinacms", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/tinacms/tinacms" }, { "reference_url": "https://github.com/tinacms/tinacms/commit/f124eabaca10dac9a4d765c9e4135813c4830955", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-01T17:52:31Z/" } ], "url": "https://github.com/tinacms/tinacms/commit/f124eabaca10dac9a4d765c9e4135813c4830955" }, { "reference_url": "https://github.com/tinacms/tinacms/security/advisories/GHSA-g87c-r2jp-293w", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-01T17:52:31Z/" } ], "url": "https://github.com/tinacms/tinacms/security/advisories/GHSA-g87c-r2jp-293w" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34603", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34603" }, { "reference_url": "https://github.com/advisories/GHSA-g87c-r2jp-293w", "reference_id": "GHSA-g87c-r2jp-293w", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-g87c-r2jp-293w" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/111322?format=api", "purl": "pkg:npm/%40tinacms/graphql@2.2.2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/%2540tinacms/graphql@2.2.2" } ], "aliases": [ "CVE-2026-34603", "GHSA-g87c-r2jp-293w" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-n113-nq2s-5yg3" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/91707?format=api", "vulnerability_id": "VCID-uxsf-y8p8-1fcf", "summary": "@tinacms/graphql has Path Traversal that leads to overwrite of arbitrary files\n### Summary\nA Path Traversal vulnerability in `@tinacms/graphql` allows unauthenticated users to write and overwrite arbitrary files within the project root. This is achieved by manipulating the `relativePath` parameter in GraphQL mutations. The impact includes the ability to replace critical server configuration files and potentially execute arbitrary commands by sabotaging build scripts.\n\n### Details\nThe vulnerability exists in the path validation logic within `@tinacms/graphql`. Specifically, the regex-based validation in `getValidatedPath` fails to recognize backslashes (`\\`) as directory separators on non-Windows platforms (Mac/Linux). An attacker can provide a path like `x\\..\\..\\..\\package.json`, which bypasses the validation check but is subsequently treated as a traversal path during file I/O operations by the underlying `fs` modules and path normalization utilities.\n\nIncriminated code areas:\n- [packages/@tinacms/graphql/src/database/bridge/filesystem.ts](tinacms/packages/@tinacms/graphql/src/database/bridge/filesystem.ts): [assertWithinBase](tinacms/graphql/src/database/bridge/filesystem.ts#7-35) function.\n- [packages/@tinacms/graphql/src/resolver/index.ts](tinacms/packages/@tinacms/graphql/src/resolver/index.ts): `getValidatedPath` function.\n\n### PoC\n1. Start the TinaCMS development server.\n2. Send a malicious GraphQL mutation to overwrite a project file (e.g., [package.json](tinacms/examples/tina-self-hosted-demo/package.json)):\n\n```bash\ncurl -X POST http://localhost:4001/graphql \\\n -H \"Content-Type: application/json\" \\\n -d '{\"query\": \"mutation { updateDocument(collection: \\\"global\\\", relativePath: \\\"x\\\\\\\\..\\\\\\\\..\\\\\\\\..\\\\\\\\package.json\\\", params: { global: { header: { name: \\\"OVERWRITTEN\\\" } } }) { __typename } }\"}'\n```\n\n3. Observe that the root [package.json](tinacms/examples/tina-self-hosted-demo/package.json) has been replaced with the provided payload.\n\n<img width=\"1424\" height=\"516\" alt=\"2026-03-15_12-24-05 PM\" src=\"https://github.com/user-attachments/assets/9fdf94ce-2183-4a24-9cd9-48f21deb9768\" />\n\n<img width=\"1387\" height=\"774\" alt=\"2026-03-15_12-27-33 PM\" src=\"https://github.com/user-attachments/assets/676f083b-f934-4cf2-978b-bb2fabee0216\" />\n\n### Impact\nThis is an **Arbitrary File Write** vulnerability. Any unauthenticated user with network access to the GraphQL API can:\n- Overwrite critical server configuration files (e.g., [package.json](tinacms/examples/tina-self-hosted-demo/package.json), [tsconfig.json](tinacms/examples/tina-self-hosted-demo/tsconfig.json)).\n- Host malicious scripts in the `public/` directory for client-side attacks.\n- Perform **Arbitrary Code Execution** by modifying build scripts or server-side logic files that are subsequently executed by the environment.\n\n\n\n**Weaknesses:**\n- **CWE-22**: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')\n- **CWE-73**: External Control of File Name or Path", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33949", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00243", "scoring_system": "epss", "scoring_elements": "0.47827", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00243", "scoring_system": "epss", "scoring_elements": "0.47811", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00243", "scoring_system": "epss", "scoring_elements": "0.47829", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00282", "scoring_system": "epss", "scoring_elements": "0.51902", "published_at": "2026-06-09T12:55:00Z" }, { "value": "0.00282", "scoring_system": "epss", "scoring_elements": "0.51882", "published_at": "2026-06-08T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33949" }, { "reference_url": "https://github.com/tinacms/tinacms", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/tinacms/tinacms" }, { "reference_url": "https://github.com/tinacms/tinacms/security/advisories/GHSA-v9p7-gf3q-h779", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-03T16:44:36Z/" } ], "url": "https://github.com/tinacms/tinacms/security/advisories/GHSA-v9p7-gf3q-h779" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33949", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33949" }, { "reference_url": "https://github.com/advisories/GHSA-v9p7-gf3q-h779", "reference_id": "GHSA-v9p7-gf3q-h779", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-v9p7-gf3q-h779" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/111322?format=api", "purl": "pkg:npm/%40tinacms/graphql@2.2.2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/%2540tinacms/graphql@2.2.2" } ], "aliases": [ "CVE-2026-33949", "GHSA-v9p7-gf3q-h779" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-uxsf-y8p8-1fcf" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/90080?format=api", "vulnerability_id": "VCID-yujv-ty5w-fkhm", "summary": "@tinacms/graphql's `FilesystemBridge` Path Validation Can Be Bypassed via Symlinks or Junctions\n## Summary\n\n`@tinacms/graphql` uses string-based path containment checks in `FilesystemBridge`:\n\n- `path.resolve(path.join(baseDir, filepath))`\n- `startsWith(resolvedBase + path.sep)`\n\nThat blocks plain `../` traversal, but it does not resolve symlink or junction targets. If a symlink/junction already exists under the allowed content root, a path like `content/posts/pivot/owned.md` is still considered \"inside\" the base even though the real filesystem target can be outside it.\n\nAs a result, `FilesystemBridge.get()`, `put()`, `delete()`, and `glob()` can operate on files outside the intended root.\n\n## Details\n\nThe current bridge validation is:\n\n```ts\nfunction assertWithinBase(filepath: string, baseDir: string): string {\n const resolvedBase = path.resolve(baseDir);\n const resolved = path.resolve(path.join(baseDir, filepath));\n if (\n resolved !== resolvedBase &&\n !resolved.startsWith(resolvedBase + path.sep)\n ) {\n throw new Error(\n `Path traversal detected: \"${filepath}\" escapes the base directory`\n );\n }\n return resolved;\n}\n```\n\nBut the bridge then performs real filesystem I/O on the resulting path:\n\n```ts\npublic async get(filepath: string) {\n const resolved = assertWithinBase(filepath, this.outputPath);\n return (await fs.readFile(resolved)).toString();\n}\n\npublic async put(filepath: string, data: string, basePathOverride?: string) {\n const basePath = basePathOverride || this.outputPath;\n const resolved = assertWithinBase(filepath, basePath);\n await fs.outputFile(resolved, data);\n}\n\npublic async delete(filepath: string) {\n const resolved = assertWithinBase(filepath, this.outputPath);\n await fs.remove(resolved);\n}\n```\n\nThis is a classic realpath gap:\n\n1. validation checks the lexical path string\n2. the filesystem follows the link target during I/O\n3. the actual target can be outside the intended root\n\nThis is reachable from Tina's GraphQL/local database flow. The resolver builds a validated path from user-controlled `relativePath`, but that validation is also string-based:\n\n```ts\nconst realPath = path.join(collection.path, relativePath);\nthis.validatePath(realPath, collection, relativePath);\n```\n\nDatabase write and delete operations then call the bridge:\n\n```ts\nawait this.bridge.put(normalizedPath, stringifiedFile);\n...\nawait this.bridge.delete(normalizedPath);\n```\n\n## Local Reproduction\n\nThis was verified llocally with a real junction on Windows, which exercises the same failure mode as a symlink on Unix-like systems.\n\nTest layout:\n\n- content root: `D:\\bugcrowd\\tinacms\\temp\\junction-repro4`\n- allowed collection path: `content/posts`\n- junction inside collection: `content/posts/pivot -> D:\\bugcrowd\\tinacms\\temp\\junction-repro4\\outside`\n- file outside content root: `outside\\secret.txt`\n\nTina's current path-validation logic was applied and used to perform bridge-style read/write operations through the junction.\n\nObserved result:\n\n```json\n{\n \"graphqlBridge\": {\n \"collectionPath\": \"content/posts\",\n \"requestedRelativePath\": \"pivot/owned.md\",\n \"validatedRealPath\": \"content\\\\posts\\\\pivot\\\\owned.md\",\n \"bridgeResolvedPath\": \"D:\\\\bugcrowd\\\\tinacms\\\\temp\\\\junction-repro4\\\\content\\\\posts\\\\pivot\\\\owned.md\",\n \"bridgeRead\": \"TOP_SECRET_FROM_OUTSIDE\\\\r\\\\n\",\n \"outsideGraphqlWriteExists\": true,\n \"outsideGraphqlWriteContents\": \"GRAPHQL_ESCAPE\"\n }\n}\n```\n\nThat is the critical point:\n\n- the path was accepted as inside `content/posts`\n- the bridge read `outside\\secret.txt`\n- the bridge wrote `outside\\owned.md`\n\nSo the current containment check does not actually constrain filesystem access to the configured content root once a link exists inside that tree.\n\n## Impact\n\n- **Arbitrary file read/write outside the configured content root**\n- **Potential delete outside the configured content root** via the same `assertWithinBase()` gap in `delete()`\n- **Breaks the assumptions of the recent path-traversal fixes** because only lexical traversal is blocked\n- **Practical attack chains** where the content tree contains a committed symlink/junction, or an attacker can cause one to exist before issuing GraphQL/content operations\n\nThe exact network exploitability depends on how the application exposes Tina's GraphQL/content operations, but the underlying bridge bug is real and independently security-relevant.\n\n## Recommended Fix\n\nThe containment check needs to compare canonical filesystem paths, not just string-normalized paths.\n\nFor example:\n\n1. resolve the base with `fs.realpath()`\n2. resolve the candidate path's parent with `fs.realpath()`\n3. reject any request whose real target path escapes the real base\n4. for write operations, carefully canonicalize the nearest existing parent directory before creating the final file\n\nIn short: use realpath-aware containment checks for every filesystem sink, not `path.resolve(...).startsWith(...)` alone.\n\n## Resources\n\n- `packages/@tinacms/graphql/src/database/bridge/filesystem.ts`\n- `packages/@tinacms/graphql/src/database/index.ts`\n- `packages/@tinacms/graphql/src/resolver/index.ts`", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34604", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00089", "scoring_system": "epss", "scoring_elements": "0.2539", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00089", "scoring_system": "epss", "scoring_elements": "0.25438", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00089", "scoring_system": "epss", "scoring_elements": "0.25452", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00103", "scoring_system": "epss", "scoring_elements": "0.27778", "published_at": "2026-06-09T12:55:00Z" }, { "value": "0.00103", "scoring_system": "epss", "scoring_elements": "0.27772", "published_at": "2026-06-08T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34604" }, { "reference_url": "https://github.com/tinacms/tinacms", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/tinacms/tinacms" }, { "reference_url": "https://github.com/tinacms/tinacms/commit/f124eabaca10dac9a4d765c9e4135813c4830955", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-01T17:59:42Z/" } ], "url": "https://github.com/tinacms/tinacms/commit/f124eabaca10dac9a4d765c9e4135813c4830955" }, { "reference_url": "https://github.com/tinacms/tinacms/security/advisories/GHSA-g9c2-gf25-3x67", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-01T17:59:42Z/" } ], "url": "https://github.com/tinacms/tinacms/security/advisories/GHSA-g9c2-gf25-3x67" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34604", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34604" }, { "reference_url": "https://github.com/advisories/GHSA-g9c2-gf25-3x67", "reference_id": "GHSA-g9c2-gf25-3x67", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-g9c2-gf25-3x67" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/111322?format=api", "purl": "pkg:npm/%40tinacms/graphql@2.2.2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/%2540tinacms/graphql@2.2.2" } ], "aliases": [ "CVE-2026-34604", "GHSA-g9c2-gf25-3x67" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-yujv-ty5w-fkhm" } ], "fixing_vulnerabilities": [], "risk_score": "4.0", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/%2540tinacms/graphql@0.0.0-5cd6fb7-20260324232807" }