Cross-Site Scripting Vulnerability in Tina CMS by Tina
CVE-2026-55660

7.6HIGH

Key Information:

Vendor

Tinacms

Vendor
CVE Published:
1 July 2026

What is CVE-2026-55660?

Tina CMS, a popular headless content management system, faces a serious vulnerability that allows stored Cross-Site Scripting (XSS) and session takeover. This vulnerability arises from improper handling of cross-origin postMessage events and insufficient sanitization of URLs in rich text content. Attackers can exploit this flaw through messages that the editor processes without validating their origin, enabling them to inject malicious scripts, manipulate content, or hijack OAuth authentication sessions. This issue has been addressed in the latest versions, and users are strongly encouraged to upgrade to maintain the security of their applications.

Affected Version(s)

@tinacms/app < 2.5.6

tinacms < 3.9.3

References

CVSS V4

Score:
7.6
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.