HIGH🇬🇧 English

CVE-2026-33949

CVSS 8.1v3.1pub. 2026-04-01upd. 2026-04-07

Tina is a headless content management system. Prior to version 2.2.2, a path traversal vulnerability in @tinacms/graphql allows unauthenticated users to write and overwrite arbitrary files within the project root. This is achieved by manipulating the relativePath parameter in GraphQL mutations. The impact includes the ability to replace critical server configuration files and potentially execute arbitrary commands by sabotaging build script. This issue has been patched in version 2.2.2.

oryginał EN
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
  • Ssw Tinacms\/graphql

    APP
    Ssw
    ≤ 2.2.1
🔵
ZWERYFIKUJ U PRODUCENTA
Brak jednoznacznych danych o patchu. Sprawdź referencje od producenta.
Tagi
Path Traversal
CWE
Referencje

Powiązane podatności

CVE-2026-34604HIGH7.1ten sam produkt

Tina is a headless content management system. Prior to version 2.2.2, @tinacms/graphql uses string-based path ...

CVE-2025-68278HIGH7.3ten sam produkt

Tina is a headless content management system. In tinacms prior to version 3.1.1, tinacms uses the gray-matter ...

CVE-2026-24125MEDIUM6.3ten sam produkt

Tina is a headless content management system. Prior to 2.1.2, TinaCMS allows users to create, update, and dele...

CVE-2026-28792CRITICAL9.6PL ✓ten sam vendor

TinaCMS CLI: path traversal + CORS umożliwiają atak drive-by na deweloperów

CVE-2026-34603HIGH7.1ten sam vendor

Tina is a headless content management system. Prior to version 2.2.2, @tinacms/cli recently added lexical path...