Lookup for vulnerable packages by Package URL.
| Purl | pkg:npm/%40tinacms/cli@0.0.0-20230509001329 |
|---|
| Type | npm |
|---|
| Namespace | @tinacms |
|---|
| Name | cli |
|---|
| Version | 0.0.0-20230509001329 |
|---|
| Qualifiers |
|
|---|
| Subpath | |
|---|
| Is_vulnerable | true |
|---|
| Next_non_vulnerable_version | 2.1.8 |
|---|
| Latest_non_vulnerable_version | 2.1.8 |
|---|
| Affected_by_vulnerabilities |
| 0 |
| url |
VCID-dfkk-m4c1-pqb3 |
| vulnerability_id |
VCID-dfkk-m4c1-pqb3 |
| summary |
Tina is a headless content management system. In tinacms prior to version 3.1.1, tinacms uses the gray-matter package in an insecure way allowing attackers that can control the content of the processed markdown files, e.g., blog posts, to execute arbitrary code. tinacms version 3.1.1, @tinacms/cli version 2.0.4, and @tinacms/graphql version 2.0.3 contain a fix for the issue. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2025-68278, GHSA-529f-9qwm-9628
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-dfkk-m4c1-pqb3 |
|
| 1 |
| url |
VCID-j5k4-p718-17e3 |
| vulnerability_id |
VCID-j5k4-p718-17e3 |
| summary |
Tina is a headless content management system. Prior to 2.1.8, the TinaCMS CLI development server exposes media endpoints that are vulnerable to path traversal, allowing attackers to read and write arbitrary files on the filesystem outside the intended media directory. When running tinacms dev, the CLI starts a local HTTP server (default port 4001) exposing endpoints such as /media/list/*, /media/upload/*, and /media/*. These endpoints process user-controlled path segments using decodeURI() and path.join() without validating that the resolved path remains within the configured media directory. This vulnerability is fixed in 2.1.8. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-28793, GHSA-2f24-mg4x-534q
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-j5k4-p718-17e3 |
|
| 2 |
| url |
VCID-qazb-j1xd-jfcx |
| vulnerability_id |
VCID-qazb-j1xd-jfcx |
| summary |
Tina is an open-source content management system (CMS). Sites building with Tina CMS's command line interface (CLI) prior to version 1.6.2 that use a search token may be vulnerable to the search token being leaked via lock file (tina-lock.json). Administrators of Tina-enabled websites with search setup should rotate their key immediately. This issue has been patched in @tinacms/cli version 1.6.2. Upgrading and rotating the search token is required for the proper fix. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://github.com/tinacms/tinacms |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
7.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
|
| 1 |
| value |
8.7 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/tinacms/tinacms |
|
| 2 |
|
| 3 |
| reference_url |
https://github.com/tinacms/tinacms/pull/4758 |
| reference_id |
4758 |
| reference_type |
|
| scores |
| 0 |
| value |
7.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
|
| 1 |
| value |
8.7 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-03T20:23:50Z/ |
|
|
| url |
https://github.com/tinacms/tinacms/pull/4758 |
|
| 4 |
|
| 5 |
|
| 6 |
|
|
| fixed_packages |
|
| aliases |
CVE-2024-45391, GHSA-4qrm-9h4r-v2fx
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-qazb-j1xd-jfcx |
|
| 3 |
| url |
VCID-tcnd-bb71-z3hg |
| vulnerability_id |
VCID-tcnd-bb71-z3hg |
| summary |
Tina is a headless content management system. Prior to 2.1.8 , the TinaCMS CLI dev server combines a permissive CORS configuration (Access-Control-Allow-Origin: *) with the path traversal vulnerability (previously reported) to enable a browser-based drive-by attack. A remote attacker can enumerate the filesystem, write arbitrary files, and delete arbitrary files on developer's machines by simply tricking them into visiting a malicious website while tinacms dev is running. This vulnerability is fixed in 2.1.8. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-28792, GHSA-8pw3-9m7f-q734
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-tcnd-bb71-z3hg |
|
| 4 |
| url |
VCID-x7w5-kvqc-s7hw |
| vulnerability_id |
VCID-x7w5-kvqc-s7hw |
| summary |
Tina is a headless content management system. Prior to 2.1.8, the TinaCMS CLI dev server configures Vite with server.fs.strict: false, which disables Vite's built-in filesystem access restriction. This allows any unauthenticated attacker who can reach the dev server to read arbitrary files on the host system. This vulnerability is fixed in 2.1.8. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-29066, GHSA-m48g-4wr2-j2h6
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-x7w5-kvqc-s7hw |
|
|
|---|
| Fixing_vulnerabilities |
|
|---|
| Risk_score | null |
|---|
| Resource_url | http://public2.vulnerablecode.io/packages/pkg:npm/%2540tinacms/cli@0.0.0-20230509001329 |
|---|