Path Traversal Vulnerability in Tina CMS
CVE-2026-34603

7.1HIGH

Key Information:

Vendor

Tinacms

Status
Vendor
CVE Published:
1 April 2026

What is CVE-2026-34603?

Tina CMS, a headless content management system, has a path traversal vulnerability that allows attackers to access and modify files outside the intended media directory. This flaw arises from an oversight in the implementation of lexical path-traversal checks on the development media routes. Prior to version 2.2.2, it was possible to manipulate paths in such a way that the system would perform unauthorized file system operations, potentially exposing sensitive data or allowing overwriting of existing files. The issue has been resolved in version 2.2.2, highlighting the importance of keeping software updated to safeguard against such vulnerabilities.

Affected Version(s)

tinacms < 2.2.2

References

CVSS V3.1

Score:
7.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.