Arbitrary Code Execution in Tina CMS by Tinacms Vendor
CVE-2025-68278

7.3HIGH

Key Information:

Vendor: Tinacms
Status: Tinacms
Vendor: CVE Published:; 18 December 2025

What is CVE-2025-68278?

Tina CMS, a popular headless content management system, has a vulnerability in its handling of markdown files. Prior to version 3.1.1, it utilized the gray-matter package insecurely, enabling attackers to run arbitrary code if they controlled the content of processed markdown files, such as blog posts. This flaw could jeopardize the integrity and safety of applications leveraging Tina CMS. Users are urged to update to the latest version to mitigate this risk.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

tinacms tinacms < 3.1.1 < tinacms 3.1.1

tinacms @tinacms/cli < 2.0.4 < @tinacms/cli 2.0.4

tinacms @tinacms/graphql < 2.0.3 < @tinacms/graphql 2.0.3

References

https://github.com/tinacms/tinacms/security/advisories/GH...

x_refsource_CONFIRM

https://github.com/tinacms/tinacms/commit/fa7c27abef968e3...

x_refsource_MISC

CVSS V4

Score:

7.3

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Timeline

Vulnerability published
Dec 18, 2025
Vulnerability Reserved
Dec 16, 2025

JSON

Tinacms

What is CVE-2025-68278?

Human OS v1.0: Ageing Is an Unpatched Zero-Day Vulnerability.

Affected Version(s)

References

CVSS V4

Timeline

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.