CVE-2026-29066

Tina is a headless content management system. Prior to 2.1.8, the TinaCMS CLI dev server configures Vite with server.fs.strict: false, which disables Vite's built-in filesystem access restriction. This allows any unauthenticated attacker who can reach the dev server to read arbitrary files on the host system. This vulnerability is fixed in 2.1.8.

CVSS v3 6.2 MEDIUM

6.2^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.5 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/tinacms/tinacms/security/advisories/GHSA-m48g-4wr2-j2h6	Exploit Vendor Advisory
https://github.com/tinacms/tinacms/security/advisories/GHSA-m48g-4wr2-j2h6	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:ssw:tinacms\/cli:*:*:*:*:*:node.js:*:*

History

No history.

Information

Published : 2026-03-12 17:16

Updated : 2026-03-13 19:57

NVD link : CVE-2026-29066

Mitre link : CVE-2026-29066

CVE.ORG link : CVE-2026-29066

JSON object : View

Products Affected

ssw

tinacms\/cli

CWE

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

CWE-552

Files or Directories Accessible to External Parties

{"id": "CVE-2026-29066", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.2, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.5}]}, "published": "2026-03-12T17:16:50.700", "references": [{"url": "https://github.com/tinacms/tinacms/security/advisories/GHSA-m48g-4wr2-j2h6", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/tinacms/tinacms/security/advisories/GHSA-m48g-4wr2-j2h6", "tags": ["Exploit", "Vendor Advisory"], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-200"}, {"lang": "en", "value": "CWE-552"}]}], "descriptions": [{"lang": "en", "value": "Tina is a headless content management system. Prior to 2.1.8, the TinaCMS CLI dev server configures Vite with server.fs.strict: false, which disables Vite's built-in filesystem access restriction. This allows any unauthenticated attacker who can reach the dev server to read arbitrary files on the host system. This vulnerability is fixed in 2.1.8."}, {"lang": "es", "value": "Tina es un sistema de gesti\u00f3n de contenido headless. Antes de la versi\u00f3n 2.1.8, el servidor de desarrollo CLI de TinaCMS configura Vite con server.fs.strict: false, lo que desactiva la restricci\u00f3n de acceso al sistema de archivos integrada de Vite. Esto permite a cualquier atacante no autenticado que pueda alcanzar el servidor de desarrollo leer archivos arbitrarios en el sistema anfitri\u00f3n. Esta vulnerabilidad est\u00e1 corregida en la versi\u00f3n 2.1.8."}], "lastModified": "2026-03-13T19:57:18.363", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:ssw:tinacms\\/cli:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "1CE10330-2151-486B-AF99-38DC3D2F8FA0", "versionEndExcluding": "2.1.8"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}