{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33949", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-24T19:50:52.105Z", "datePublished": "2026-04-01T15:54:12.351Z", "dateUpdated": "2026-04-03T16:44:46.487Z"}, "containers": {"cna": {"title": "@tinacms/graphql has Path Traversal that leads to overwrite of arbitrary files", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-73", "lang": "en", "description": "CWE-73: External Control of File Name or Path", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/tinacms/tinacms/security/advisories/GHSA-v9p7-gf3q-h779", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/tinacms/tinacms/security/advisories/GHSA-v9p7-gf3q-h779"}], "affected": [{"vendor": "tinacms", "product": "tinacms", "versions": [{"version": "< 2.2.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-01T15:54:12.351Z"}, "descriptions": [{"lang": "en", "value": "Tina is a headless content management system. Prior to version 2.2.2, a path traversal vulnerability in @tinacms/graphql allows unauthenticated users to write and overwrite arbitrary files within the project root. This is achieved by manipulating the relativePath parameter in GraphQL mutations. The impact includes the ability to replace critical server configuration files and potentially execute arbitrary commands by sabotaging build script. This issue has been patched in version 2.2.2."}], "source": {"advisory": "GHSA-v9p7-gf3q-h779", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-03T16:44:36.092778Z", "id": "CVE-2026-33949", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T16:44:46.487Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33949", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-03T16:44:36.092778Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T16:44:42.991Z"}}], "cna": {"title": "@tinacms/graphql has Path Traversal that leads to overwrite of arbitrary files", "source": {"advisory": "GHSA-v9p7-gf3q-h779", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "tinacms", "product": "tinacms", "versions": [{"status": "affected", "version": "< 2.2.2"}]}], "references": [{"url": "https://github.com/tinacms/tinacms/security/advisories/GHSA-v9p7-gf3q-h779", "name": "https://github.com/tinacms/tinacms/security/advisories/GHSA-v9p7-gf3q-h779", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Tina is a headless content management system. Prior to version 2.2.2, a path traversal vulnerability in @tinacms/graphql allows unauthenticated users to write and overwrite arbitrary files within the project root. This is achieved by manipulating the relativePath parameter in GraphQL mutations. The impact includes the ability to replace critical server configuration files and potentially execute arbitrary commands by sabotaging build script. This issue has been patched in version 2.2.2."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-73", "description": "CWE-73: External Control of File Name or Path"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-01T15:54:12.351Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33949", "state": "PUBLISHED", "dateUpdated": "2026-04-03T16:44:46.487Z", "dateReserved": "2026-03-24T19:50:52.105Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-01T15:54:12.351Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Tina is a headless content management system. Prior to version 2.2.2, a path traversal vulnerability in @tinacms/graphql allows unauthenticated users to write and overwrite arbitrary files within the project root. This is achieved by manipulating the relativePath parameter in GraphQL mutations. The impact includes the ability to replace critical server configuration files and potentially execute arbitrary commands by sabotaging build script. This issue has been patched in version 2.2.2."}], "id": "CVE-2026-33949", "lastModified": "2026-04-03T16:11:11.357", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-01T17:28:39.507", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/tinacms/tinacms/security/advisories/GHSA-v9p7-gf3q-h779"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}, {"lang": "en", "value": "CWE-73"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.2.2)"}}], "enrichment": {"confidence": 89.0, "confidence_source": "matching", "scores": [{"score": 89.0, "source": "matching"}]}, "original": {"product": "tinacms", "source": "cna", "vendor": "tinacms"}, "product": "tinacms", "vendor": "tina"}], "analysis": {"en": {"generated_at": "2026-04-02T03:47:42.313460+00:00", "value": {"mitigation_remediation": ["Upgrade Tina CMS to version 2.2.2 or later"], "summary": {"action": "Patch Immediately", "impact": "Arbitrary File Overwrite"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Tina CMS project, specifically the @tinacms/graphql component. Users running any release of Tina CMS prior to version 2.2.2 are susceptible. Upgrading to version\u00a02.2.2 or later removes the flaw.", "description_and_impact": "A path traversal flaw in the GraphQL module of Tina CMS allows an attacker who does not need to be authenticated to specify a relative file path that resolves outside the intended project root. By sending a crafted relativePath value in GraphQL mutations the attacker can create or overwrite any file inside the project\u2019s working directory. This can be used to replace critical configuration files or to write malicious build scripts, thereby providing a pathway to execute arbitrary code on the server host.", "risk_and_exploitability": "The CVSS base score of 8.1 indicates a high severity. The flaw is exploitable over the network via the public GraphQL endpoint, requires no user authentication, and can lead to ownership of the server if the attacker writes files that allow execution. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog. Because the attack can be performed remotely and the condition is straightforward, the real\u2011world risk is high for any site exposing the GraphQL endpoint without protection."}}}}, "created": "2026-04-02T07:48:55.448111+00:00", "updated": "2026-04-02T20:17:20.859948+00:00", "vendors": ["tina", "tina$PRODUCT$tinacms"]}