Arbitrary Code Execution in Tina CMS by Tinacms Vendor
CVE-2025-68278

7.3HIGH

Key Information:

Vendor: Tinacms
Status: Tinacms
Vendor: CVE Published:; 18 December 2025

What is CVE-2025-68278?

Tina CMS, a popular headless content management system, has a vulnerability in its handling of markdown files. Prior to version 3.1.1, it utilized the gray-matter package insecurely, enabling attackers to run arbitrary code if they controlled the content of processed markdown files, such as blog posts. This flaw could jeopardize the integrity and safety of applications leveraging Tina CMS. Users are urged to update to the latest version to mitigate this risk.

Affected Version(s)

tinacms tinacms < 3.1.1 < tinacms 3.1.1

tinacms @tinacms/cli < 2.0.4 < @tinacms/cli 2.0.4

tinacms @tinacms/graphql < 2.0.3 < @tinacms/graphql 2.0.3

References

https://github.com/tinacms/tinacms/security/advisories/GH...

x_refsource_CONFIRM

https://github.com/tinacms/tinacms/commit/fa7c27abef968e3...

x_refsource_MISC

CVSS V4

Score:

7.3

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 18, 2025
Vulnerability Reserved
Dec 16, 2025

JSON