Stored XSS Vulnerability in Tina CMS by Tina
CVE-2026-55661

4.8MEDIUM

Key Information:

Vendor

Tinacms

Vendor
CVE Published:
1 July 2026

What is CVE-2026-55661?

Tina CMS, a headless content management system, is prone to a stored XSS vulnerability affecting versions prior to @tinacms/mdx 2.1.7 and tinacms 3.9.3. The rich-text parsing and default link/image renderers fail to sanitize the URL field of Slate link/image nodes. This oversight allows content created with JavaScript or data:text/html URLs to be rendered, which can lead to the execution of scripts when viewed. Any user, including lower-privileged editors or imported content sources, could exploit this vulnerability by authoring malicious rich-text content, putting editors and site visitors at risk. The issue has been addressed in updated versions.

Affected Version(s)

@tinacms/mdx < 2.1.7

tinacms < 3.9.3

References

CVSS V4

Score:
4.8
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.