CVE-2026-34604

High CVSS: 7.1

Tina is a headless content management system. Prior to version 2.2.2, @tinacms/graphql uses string-based path containment checks in FilesystemBridge. That blocks plain ../ traversal, but it does not resolve symlink or junction targets. If a symlink/junction already exists under the allowed content root, a path like content/posts/pivot/owned.md is still considered "inside" the base even though the real filesystem target can be outside it. As a result, FilesystemBridge.get(), put(), delete(), and glob() can operate on files outside the intended root. This issue has been patched in version 2.2.2.

Vendor

Ssw

Product

Tinacms\/graphql

CWE

CWE-22

Yayın Tarihi

2026-04-01 17:28:41

Güncelleme

2026-04-07 19:08:26

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-22 Tinacms\/graphql HIGH Ssw 2026

Referanslar

https://github.com/tinacms/tinacms/commit/f124eabaca10dac9a4d765c9e4135813c4830955 https://github.com/tinacms/tinacms/security/advisories/GHSA-g9c2-gf25-3x67 https://github.com/tinacms/tinacms/security/advisories/GHSA-g9c2-gf25-3x67

Benzer Kayıtlar

High

CVE-2026-34603

Tina is a headless content management system. Prior to version 2.2.2, @tinacms/cli recently added lexical path-traversal…

High

CVE-2026-33949

Tina is a headless content management system. Prior to version 2.2.2, a path traversal vulnerability in @tinacms/graphql…

High

CVE-2026-28791

Tina is a headless content management system. Prior to 2.1.7, a path traversal vulnerability exists in the TinaCMS devel…

Critical

CVE-2026-28792

Tina is a headless content management system. Prior to 2.1.8 , the TinaCMS CLI dev server combines a permissive CORS con…

High

CVE-2026-28793

Tina is a headless content management system. Prior to 2.1.8, the TinaCMS CLI development server exposes media endpoints…

Medium

CVE-2026-29066

Tina is a headless content management system. Prior to 2.1.8, the TinaCMS CLI dev server configures Vite with server.fs.…