@tinacms/graphql

npm4 known CVEs affecting this package

Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.

CVEs affecting @tinacms/graphqlpage 1 of 1

CVE-2025-68278HIGHCVSS 8.8EG 8.8✓ Fixed in 2.0.3
2025-12-18
Tina is a headless content management system. In tinacms prior to version 3.1.1, tinacms uses the gray-matter package in an insecure way allowing attackers that can control the content of the processed markdown files, e.g., blog posts, to …
CVE-2026-33949HIGHCVSS 8.1EG 8.1✓ Fixed in 2.2.2
2026-04-01
Tina is a headless content management system. Prior to version 2.2.2, a path traversal vulnerability in @tinacms/graphql allows unauthenticated users to write and overwrite arbitrary files within the project root. This is achieved by manip…
CVE-2026-34603HIGHCVSS 7.1EG 7.1✓ Fixed in 2.2.2
2026-04-01
Tina is a headless content management system. Prior to version 2.2.2, @tinacms/cli recently added lexical path-traversal checks to the dev media routes, but the implementation still validates only the path string and does not resolve symli…
CVE-2026-34604HIGHCVSS 7.1EG 7.1✓ Fixed in 2.2.2
2026-04-01
Tina is a headless content management system. Prior to version 2.2.2, @tinacms/graphql uses string-based path containment checks in FilesystemBridge. That blocks plain ../ traversal, but it does not resolve symlink or junction targets. If …

Check whether @tinacms/graphql is used in your infrastructure

EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for @tinacms/graphql CVEs against the assets you own.

Start Free Scan →