CVE-2026-29066
Arbitrary File Read via Disabled Vite Filesystem Restriction in TinaCMS CLI
Tina is a headless content management system. Prior to 2.1.8, the TinaCMS CLI dev server configures Vite with server.fs.strict: false, which disables Vite's built-in filesystem access restriction. This allows any unauthenticated attacker who can reach the dev server to read arbitrary files on the host system. This vulnerability is fixed in 2.1.8.
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Productos afectados
@tinacms · cli¿Quieres saber si tu infraestructura está expuesta a esto?
Hablar con TrueHacking →