Cross-Site Scripting Vulnerability in Tina CMS by Tina
CVE-2026-55660
7.6HIGH
What is CVE-2026-55660?
Tina CMS, a popular headless content management system, faces a serious vulnerability that allows stored Cross-Site Scripting (XSS) and session takeover. This vulnerability arises from improper handling of cross-origin postMessage events and insufficient sanitization of URLs in rich text content. Attackers can exploit this flaw through messages that the editor processes without validating their origin, enabling them to inject malicious scripts, manipulate content, or hijack OAuth authentication sessions. This issue has been addressed in the latest versions, and users are strongly encouraged to upgrade to maintain the security of their applications.
Affected Version(s)
@tinacms/app < 2.5.6
tinacms < 3.9.3
