Directory Traversal Vulnerability in TinaCMS Affects Users' Content Management
CVE-2026-24125

6.3MEDIUM

Key Information:

Vendor

@tinacms

Status
Vendor
CVE Published:
12 March 2026

What is CVE-2026-24125?

TinaCMS, a headless content management system, contains a vulnerability that allows attackers to execute directory traversal attacks. Prior to version 2.1.2, TinaCMS permitted users to manipulate content document file paths through GraphQL mutations. This improper handling of file paths can allow malicious actors to combine user-defined paths with a collection path using the path.join() function without adequate validation. As a result, exploiters can potentially navigate outside the intended directory by including '../' sequences. It is imperative for users of TinaCMS to upgrade to version 2.1.2 to mitigate this security risk.

Affected Version(s)

graphql < 2.1.2

References

CVSS V3.1

Score:
6.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.