Directory Traversal Vulnerability in TinaCMS Affects Users' Content Management
CVE-2026-24125
6.3MEDIUM
What is CVE-2026-24125?
TinaCMS, a headless content management system, contains a vulnerability that allows attackers to execute directory traversal attacks. Prior to version 2.1.2, TinaCMS permitted users to manipulate content document file paths through GraphQL mutations. This improper handling of file paths can allow malicious actors to combine user-defined paths with a collection path using the path.join() function without adequate validation. As a result, exploiters can potentially navigate outside the intended directory by including '../' sequences. It is imperative for users of TinaCMS to upgrade to version 2.1.2 to mitigate this security risk.
Affected Version(s)
graphql < 2.1.2
