Security Advisory

CVE-2026-29066

CVE vulnerability detail — eXtreme Datacenter Security Operations

Published 2026-03-12 16:57:41

Last updated 2026-03-13 16:27:22

Assigner GitHub_M

State PUBLISHED

Description

Tina is a headless content management system. Prior to 2.1.8, the TinaCMS CLI dev server configures Vite with server.fs.strict: false, which disables Vites built-in filesystem access restriction. This allows any unauthenticated attacker who can reach the dev server to read arbitrary files on the host system. This vulnerability is fixed in 2.1.8.

← Browse all CVEs View on cve.org ↗