Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:npm/%40tinacms/graphql@0.0.0-20230814192637

Type npm

Namespace @tinacms

Name graphql

Version 0.0.0-20230814192637

Qualifiers

Subpath

Is_vulnerable true

Next_non_vulnerable_version 2.2.2

Latest_non_vulnerable_version 2.2.2

Affected_by_vulnerabilities

url VCID-3rzx-f783-pygf

vulnerability_id VCID-3rzx-f783-pygf

summary Tina is a headless content management system. Prior to 2.1.2, TinaCMS allows users to create, update, and delete content documents using relative file paths (relativePath, newRelativePath) via GraphQL mutations. Under certain conditions, these paths are combined with the collection path using path.join() without validating that the resolved path remains within the collection root directory. Because path.join() does not prevent directory traversal, paths containing ../ sequences can escape the intended directory boundary. This vulnerability is fixed in 2.1.2.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-24125

reference_id

reference_type

scores

value	0.00093
scoring_system	epss
scoring_elements	0.26318
published_at	2026-06-13T12:55:00Z

value	0.00093
scoring_system	epss
scoring_elements	0.26106
published_at	2026-06-11T12:55:00Z

value	0.00093
scoring_system	epss
scoring_elements	0.26306
published_at	2026-06-12T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-24125

reference_url

https://github.com/tinacms/tinacms

reference_id

reference_type

scores

value	6.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/tinacms/tinacms

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-24125

reference_id

reference_type

scores

value	6.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-24125

reference_url

https://github.com/advisories/GHSA-2238-xc5r-v9hj

reference_id

GHSA-2238-xc5r-v9hj

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-2238-xc5r-v9hj

reference_url

https://github.com/tinacms/tinacms/security/advisories/GHSA-2238-xc5r-v9hj

reference_id

GHSA-2238-xc5r-v9hj

reference_type

scores

value	6.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-12T17:54:30Z/

url

https://github.com/tinacms/tinacms/security/advisories/GHSA-2238-xc5r-v9hj

fixed_packages

url pkg:npm/%40tinacms/graphql@2.1.2

purl pkg:npm/%40tinacms/graphql@2.1.2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-g176-gqqb-nfc9

vulnerability	VCID-hgp6-pjsw-nkfd

vulnerability	VCID-y6dm-sbz5-dkhp

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/%2540tinacms/graphql@2.1.2

aliases CVE-2026-24125, GHSA-2238-xc5r-v9hj

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-3rzx-f783-pygf

url VCID-dfkk-m4c1-pqb3

vulnerability_id VCID-dfkk-m4c1-pqb3

summary Tina is a headless content management system. In tinacms prior to version 3.1.1, tinacms uses the gray-matter package in an insecure way allowing attackers that can control the content of the processed markdown files, e.g., blog posts, to execute arbitrary code. tinacms version 3.1.1, @tinacms/cli version 2.0.4, and @tinacms/graphql version 2.0.3 contain a fix for the issue.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2025-68278

reference_id

reference_type

scores

value	0.00069
scoring_system	epss
scoring_elements	0.21565
published_at	2026-06-13T12:55:00Z

value	0.00069
scoring_system	epss
scoring_elements	0.21551
published_at	2026-06-12T12:55:00Z

value	0.00069
scoring_system	epss
scoring_elements	0.21366
published_at	2026-06-11T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2025-68278

reference_url

https://github.com/tinacms/tinacms

reference_id

reference_type

scores

value	7.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/tinacms/tinacms

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2025-68278

reference_id

CVE-2025-68278

reference_type

scores

value	7.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2025-68278

reference_url

https://github.com/tinacms/tinacms/commit/fa7c27abef968e3f3a3e7d564f282bc566087569

reference_id

fa7c27abef968e3f3a3e7d564f282bc566087569

reference_type

scores

value	7.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-12-18T15:45:22Z/

url

https://github.com/tinacms/tinacms/commit/fa7c27abef968e3f3a3e7d564f282bc566087569

reference_url

https://github.com/advisories/GHSA-529f-9qwm-9628

reference_id

GHSA-529f-9qwm-9628

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-529f-9qwm-9628

reference_url

https://github.com/tinacms/tinacms/security/advisories/GHSA-529f-9qwm-9628

reference_id

GHSA-529f-9qwm-9628

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

value	7.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-12-18T15:45:22Z/

url

https://github.com/tinacms/tinacms/security/advisories/GHSA-529f-9qwm-9628

fixed_packages

url pkg:npm/%40tinacms/graphql@2.0.3

purl pkg:npm/%40tinacms/graphql@2.0.3

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-3rzx-f783-pygf

vulnerability	VCID-g176-gqqb-nfc9

vulnerability	VCID-hgp6-pjsw-nkfd

vulnerability	VCID-y6dm-sbz5-dkhp

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/%2540tinacms/graphql@2.0.3

aliases CVE-2025-68278, GHSA-529f-9qwm-9628

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-dfkk-m4c1-pqb3

url VCID-g176-gqqb-nfc9

vulnerability_id VCID-g176-gqqb-nfc9

summary Tina is a headless content management system. Prior to version 2.2.2, @tinacms/cli recently added lexical path-traversal checks to the dev media routes, but the implementation still validates only the path string and does not resolve symlink or junction targets. If a link already exists under the media root, Tina accepts a path like pivot/written-from-media.txt as "inside" the media directory and then performs real filesystem operations through that link target. This allows out-of-root media listing and write access, and the same root cause also affects delete. This issue has been patched in version 2.2.2.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-34603

reference_id

reference_type

scores

value	0.00101
scoring_system	epss
scoring_elements	0.27347
published_at	2026-06-11T12:55:00Z

value	0.00101
scoring_system	epss
scoring_elements	0.27572
published_at	2026-06-13T12:55:00Z

value	0.00101
scoring_system	epss
scoring_elements	0.27549
published_at	2026-06-12T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-34603

reference_url

https://github.com/tinacms/tinacms

reference_id

reference_type

scores

value	7.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/tinacms/tinacms

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-34603

reference_id

reference_type

scores

value	7.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-34603

reference_url

https://github.com/tinacms/tinacms/commit/f124eabaca10dac9a4d765c9e4135813c4830955

reference_id

f124eabaca10dac9a4d765c9e4135813c4830955

reference_type

scores

value	7.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-01T17:52:31Z/

url

https://github.com/tinacms/tinacms/commit/f124eabaca10dac9a4d765c9e4135813c4830955

reference_url

https://github.com/advisories/GHSA-g87c-r2jp-293w

reference_id

GHSA-g87c-r2jp-293w

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-g87c-r2jp-293w

reference_url

https://github.com/tinacms/tinacms/security/advisories/GHSA-g87c-r2jp-293w

reference_id

GHSA-g87c-r2jp-293w

reference_type

scores

value	7.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-01T17:52:31Z/

url

https://github.com/tinacms/tinacms/security/advisories/GHSA-g87c-r2jp-293w

fixed_packages

url	pkg:npm/%40tinacms/graphql@2.2.2
purl	pkg:npm/%40tinacms/graphql@2.2.2
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:npm/%2540tinacms/graphql@2.2.2

aliases CVE-2026-34603, GHSA-g87c-r2jp-293w

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-g176-gqqb-nfc9

url VCID-hgp6-pjsw-nkfd

vulnerability_id VCID-hgp6-pjsw-nkfd

summary Tina is a headless content management system. Prior to version 2.2.2, a path traversal vulnerability in @tinacms/graphql allows unauthenticated users to write and overwrite arbitrary files within the project root. This is achieved by manipulating the relativePath parameter in GraphQL mutations. The impact includes the ability to replace critical server configuration files and potentially execute arbitrary commands by sabotaging build script. This issue has been patched in version 2.2.2.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-33949

reference_id

reference_type

scores

value	0.00282
scoring_system	epss
scoring_elements	0.52111
published_at	2026-06-13T12:55:00Z

value	0.00282
scoring_system	epss
scoring_elements	0.51969
published_at	2026-06-11T12:55:00Z

value	0.00282
scoring_system	epss
scoring_elements	0.52099
published_at	2026-06-12T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-33949

reference_url

https://github.com/tinacms/tinacms

reference_id

reference_type

scores

value	8.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/tinacms/tinacms

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-33949

reference_id

reference_type

scores

value	8.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-33949

reference_url

https://github.com/advisories/GHSA-v9p7-gf3q-h779

reference_id

GHSA-v9p7-gf3q-h779

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-v9p7-gf3q-h779

reference_url

https://github.com/tinacms/tinacms/security/advisories/GHSA-v9p7-gf3q-h779

reference_id

GHSA-v9p7-gf3q-h779

reference_type

scores

value	8.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-03T16:44:36Z/

url

https://github.com/tinacms/tinacms/security/advisories/GHSA-v9p7-gf3q-h779

fixed_packages

url	pkg:npm/%40tinacms/graphql@2.2.2
purl	pkg:npm/%40tinacms/graphql@2.2.2
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:npm/%2540tinacms/graphql@2.2.2

aliases CVE-2026-33949, GHSA-v9p7-gf3q-h779

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-hgp6-pjsw-nkfd

url VCID-y6dm-sbz5-dkhp

vulnerability_id VCID-y6dm-sbz5-dkhp

summary Tina is a headless content management system. Prior to version 2.2.2, @tinacms/graphql uses string-based path containment checks in FilesystemBridge. That blocks plain ../ traversal, but it does not resolve symlink or junction targets. If a symlink/junction already exists under the allowed content root, a path like content/posts/pivot/owned.md is still considered "inside" the base even though the real filesystem target can be outside it. As a result, FilesystemBridge.get(), put(), delete(), and glob() can operate on files outside the intended root. This issue has been patched in version 2.2.2.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-34604

reference_id

reference_type

scores

value	0.00103
scoring_system	epss
scoring_elements	0.27805
published_at	2026-06-11T12:55:00Z

value	0.00103
scoring_system	epss
scoring_elements	0.28031
published_at	2026-06-13T12:55:00Z

value	0.00103
scoring_system	epss
scoring_elements	0.28004
published_at	2026-06-12T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-34604

reference_url

https://github.com/tinacms/tinacms

reference_id

reference_type

scores

value	7.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/tinacms/tinacms

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-34604

reference_id

reference_type

scores

value	7.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-34604

reference_url

https://github.com/tinacms/tinacms/commit/f124eabaca10dac9a4d765c9e4135813c4830955

reference_id

f124eabaca10dac9a4d765c9e4135813c4830955

reference_type

scores

value	7.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-01T17:59:42Z/

url

https://github.com/tinacms/tinacms/commit/f124eabaca10dac9a4d765c9e4135813c4830955

reference_url

https://github.com/advisories/GHSA-g9c2-gf25-3x67

reference_id

GHSA-g9c2-gf25-3x67

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-g9c2-gf25-3x67

reference_url

https://github.com/tinacms/tinacms/security/advisories/GHSA-g9c2-gf25-3x67

reference_id

GHSA-g9c2-gf25-3x67

reference_type

scores

value	7.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-01T17:59:42Z/

url

https://github.com/tinacms/tinacms/security/advisories/GHSA-g9c2-gf25-3x67

fixed_packages

url	pkg:npm/%40tinacms/graphql@2.2.2
purl	pkg:npm/%40tinacms/graphql@2.2.2
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:npm/%2540tinacms/graphql@2.2.2

aliases CVE-2026-34604, GHSA-g9c2-gf25-3x67

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-y6dm-sbz5-dkhp

Fixing_vulnerabilities

Risk_score 4.0

Resource_url http://public2.vulnerablecode.io/packages/pkg:npm/%2540tinacms/graphql@0.0.0-20230814192637

Package Instance