Stored XSS Vulnerability in Tina CMS by Tina
CVE-2026-55661
4.8MEDIUM
What is CVE-2026-55661?
Tina CMS, a headless content management system, is prone to a stored XSS vulnerability affecting versions prior to @tinacms/mdx 2.1.7 and tinacms 3.9.3. The rich-text parsing and default link/image renderers fail to sanitize the URL field of Slate link/image nodes. This oversight allows content created with JavaScript or data:text/html URLs to be rendered, which can lead to the execution of scripts when viewed. Any user, including lower-privileged editors or imported content sources, could exploit this vulnerability by authoring malicious rich-text content, putting editors and site visitors at risk. The issue has been addressed in updated versions.
Affected Version(s)
@tinacms/mdx < 2.1.7
tinacms < 3.9.3
