Tinacms Graphql
CVE-2026-24125
MEDIUM
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Lifecycle Timeline
3Blast Radius
ecosystem impact- 6 npm packages depend on @tinacms/graphql (3 direct, 3 indirect)
Ecosystem-wide dependent count for version 2.1.2.
DescriptionGitHub Advisory
Tina is a headless content management system. Prior to 2.1.2, TinaCMS allows users to create, update, and delete content documents using relative file paths (relativePath, newRelativePath) via GraphQL mutations. Under certain conditions, these paths are combined with the collection path using path.join() without validating that the resolved path remains within the collection root directory. Because path.join() does not prevent directory traversal, paths containing ../ sequences can escape the intended directory boundary. This vulnerability is fixed in 2.1.2.
AnalysisAI
Medium severity vulnerability in TinaCMS.
Description
Technical ContextAI
Vulnerability Type: Path Traversal (CWE-22) CVSS 3.1: 6.3/10.0 — Attack Vector: Network | Complexity: Low | Privileges Required: Low | User Interaction: None Attack Techniques: Path Traversal Source: https://github.com/tinacms/tinacms Path traversal allows access to files outside the intended directory by manipulating file paths with sequences like '../'.
RemediationAI
Security advisories:
- https://github.com/tinacms/tinacms/security/advisories/GHSA-2238-xc5r-v9hj
Update to the latest patched version as soon as possible.
More in Tinacms Graphql
View allSame weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-2238-xc5r-v9hj