Path Traversal Vulnerability in Tina CMS by Tina
CVE-2026-33949
8.1HIGH
What is CVE-2026-33949?
Tina CMS, a headless content management system, contains a path traversal vulnerability in its @tinacms/graphql package, which allows unauthenticated users to manipulate the relativePath parameter in GraphQL mutations. This manipulation leads to the ability to write and overwrite arbitrary files within the project root. Consequently, critical server configuration files may be compromised, with the potential for arbitrary command execution by altering build scripts. Users are encouraged to upgrade to version 2.2.2 or later, where this issue has been addressed.
Affected Version(s)
tinacms < 2.2.2
