CVE-2026-29066 — MEDIUM (6.2)

Q: How severe is CVE-2026-29066?

CVE-2026-29066 has been rated MEDIUM with a CVSS base score of 6.2/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2026-29066?

Check the references section above for vendor advisories and patch information. Affected products include: Ssw Tinacms\/Cli.

Vulnerability Description

Tina is a headless content management system. Prior to 2.1.8, the TinaCMS CLI dev server configures Vite with server.fs.strict: false, which disables Vite's built-in filesystem access restriction. This allows any unauthenticated attacker who can reach the dev server to read arbitrary files on the host system. This vulnerability is fixed in 2.1.8.

CVSS Score

6.2

MEDIUM

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Ssw	Tinacms\/Cli	< 2.1.8

Related Weaknesses (CWE)

CWE-552 CWE-200

References

https://github.com/tinacms/tinacms/security/advisories/GHSA-m48g-4wr2-j2h6ExploitVendor Advisory
https://github.com/tinacms/tinacms/security/advisories/GHSA-m48g-4wr2-j2h6ExploitVendor Advisory

FAQ

What is CVE-2026-29066?

CVE-2026-29066 is a vulnerability with a CVSS score of 6.2 (MEDIUM). Tina is a headless content management system. Prior to 2.1.8, the TinaCMS CLI dev server configures Vite with server.fs.strict: false, which disables Vite's built-in filesystem access restriction. Thi...

How severe is CVE-2026-29066?

CVE-2026-29066 has been rated MEDIUM with a CVSS base score of 6.2/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2026-29066?

Check the references section above for vendor advisories and patch information. Affected products include: Ssw Tinacms\/Cli.