Skip to main content

TinaCMS CVE-2026-55660

| EUVDEUVD-2026-41143 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-06-19 https://github.com/tinacms/tinacms GHSA-g5qx-h5f3-mp2f
7.6
CVSS 4.0 · Vendor: https://github.com/tinacms/tinacms
Share

Severity by source

Vendor (https://github.com/tinacms/tinacms) PRIMARY
7.6 HIGH
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.8 MEDIUM

Network-delivered but requires a logged-in editor plus an opener/iframe relationship and victim interaction, so AC:H and UI:R; attacker needs no prior auth (PR:N); high confidentiality/integrity via session takeover and content injection, no availability impact.

3.1 AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
4.0 AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (https://github.com/tinacms/tinacms).

CVSS VectorVendor: https://github.com/tinacms/tinacms

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

6
Analysis Updated
Jul 01, 2026 - 21:29 vuln.today
v3 (cvss_changed)
Analysis Updated
Jul 01, 2026 - 21:28 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jul 01, 2026 - 21:22 vuln.today
cvss_changed
CVSS changed
Jul 01, 2026 - 21:22 NVD
7.6 (HIGH)
Source Code Evidence Fetched
Jun 19, 2026 - 23:33 vuln.today
Analysis Generated
Jun 19, 2026 - 23:33 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 1 npm packages depend on @tinacms/app (1 direct, 0 indirect)
  • 3 npm packages depend on tinacms (3 direct, 0 indirect)

Ecosystem-wide dependent count for version 2.5.6 and other introduced versions.

DescriptionCVE.org

TinaCMS registers window message listeners - the useTina overlay handler, the OAuth authentication popup handler, and the admin↔preview iframe GraphQL reducer - that act on event.data without verifying event.origin or event.source, and post messages using non-specific target origins. A page the victim visits (or a window in an opener/iframe relationship with a Tina admin) can forge messages to drive the editor, inject preview content, or observe/forge the OAuth popup channel to take over an authenticated editing session.

Fixed in #7056 by allow-listing trusted origins and verifying event.source (isFromAdmin, isFromTrustedPreviewOrigin), and by posting only to explicit target origins (never "*").

Note: the rich-text URL-sanitization issue previously bundled here has been split into its own advisory (GHSA-2vcc-5v34-9jc8) so each vulnerability can receive a distinct CVE.

AnalysisAI

Cross-window message spoofing in TinaCMS (npm tinacms and @tinacms/app) lets a malicious web page hijack an authenticated editing session because the useTina overlay handler, the OAuth authentication popup handler, and the admin↔preview iframe GraphQL reducer act on window.postMessage event.data without validating event.origin or event.source, and reply with wildcard target origins. An attacker who lures an authenticated Tina editor to a crafted page (or gains an opener/iframe relationship with the Tina admin) can forge messages to drive the editor, inject preview content, or observe and forge the OAuth popup channel to take over the session. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Lure authenticated editor to crafted page
Delivery
Open opener/iframe link to Tina admin
Exploit
Forge postMessage to unvalidated listeners
Execution
Observe or forge OAuth popup token exchange
Persist
Hijack authenticated editing session
Impact
Inject content or alter site

Vulnerability AssessmentAI

Exploitation Exploitation requires that a victim who is an authenticated TinaCMS editor be socially engineered into a window relationship with the Tina admin - specifically visiting an attacker-controlled page that is in an opener/iframe relationship with, or can post messages to, the live Tina admin or preview frame - targeting the three unvalidated window.postMessage listeners (useTina overlay handler, OAuth authentication popup handler, and admin↔preview iframe GraphQL reducer). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The signals are moderate and internally consistent rather than alarming. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker sends a Tina editor a link to a crafted web page while that editor is logged into the Tina admin in another tab; the page opens or references the admin/preview window and posts forged messages that the unvalidated listeners accept, injecting preview content or interacting with the OAuth popup channel to capture or forge the authentication token and assume the editor's session. Because the OAuth popup replies with a wildcard target origin, the attacker's window can observe the token exchange, then use the hijacked session to modify site content. …
Remediation Upgrade tinacms and @tinacms/app to the patched release that includes GitHub PR #7056, which allow-lists trusted origins, verifies event.source via isFromAdmin and isFromTrustedPreviewOrigin, and posts only to explicit target origins instead of '*'; consult the vendor advisory GHSA-g5qx-h5f3-mp2f (https://github.com/tinacms/tinacms/security/advisories/GHSA-g5qx-h5f3-mp2f) and PR https://github.com/tinacms/tinacms/pull/7056 for the exact fixed version. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all instances of tinacms and @tinacms/app packages in production and review audit logs for suspicious editor activity or unauthorized content changes. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-55660 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy