@tinacms/graphql has Path Traversal that leads to overwrite of arbitrary...

8.1 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

Description

Tina is a headless content management system. Prior to version 2.2.2, a path traversal vulnerability in @tinacms/graphql allows unauthenticated users to write and overwrite arbitrary files within the project root. This is achieved by manipulating the relativePath parameter in GraphQL mutations. The impact includes the ability to replace critical server configuration files and potentially execute arbitrary commands by sabotaging build script. This issue has been patched in version 2.2.2.

Basic Information

ID CVE-2026-33949

Source GitHub_M

Published Apr 1, 2026 at 15:54

Modified Apr 3, 2026 at 16:44

Affected Product

Vendor tinacms

Product tinacms

Version < 2.2.2

Affected Versions tinacms tinacms < 2.2.2

CWE Classification

CWE-22 CWE-73

References

github.com /tinacms/tinacms/security/advisories/GHSA-v9p7-gf3q-h779

{
    "lastseen": "",
    "description": "Tina is a headless content management system. Prior to version 2.2.2, a path traversal vulnerability in @tinacms/graphql allows unauthenticated users to write and overwrite arbitrary files within the project root. This is achieved by manipulating the relativePath parameter in GraphQL mutations. The impact includes the ability to replace critical server configuration files and potentially execute arbitrary commands by sabotaging build script. This issue has been patched in version 2.2.2.",
    "published": "2026-04-01T15:54:12.351Z",
    "modified": "2026-04-03T16:44:46.487Z",
    "type": "cve",
    "title": "@tinacms/graphql has Path Traversal that leads to overwrite of arbitrary files",
    "source": "GitHub_M",
    "references": "https://github.com/tinacms/tinacms/security/advisories/GHSA-v9p7-gf3q-h779",
    "id": "CVE-2026-33949",
    "bulletinFamily": "",
    "cwe": [
        "CWE-22",
        "CWE-73"
    ],
    "cvelist": null,
    "sourceData": "tinacms tinacms < 2.2.2",
    "sourceHref": "",
    "cvss": {
        "score": 8.1,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "tinacms",
    "version": "< 2.2.2",
    "vendor": "tinacms",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

@tinacms/graphql has Path Traversal that leads to overwrite of arbitrary files_CVE-2026-33949