CVE-2026-29066

MEDIUM NUCLEI

Tina CMS <2.1.8 - Info Disclosure

Title source: llm

Description

Tina is a headless content management system. Prior to 2.1.8, the TinaCMS CLI dev server configures Vite with server.fs.strict: false, which disables Vite's built-in filesystem access restriction. This allows any unauthenticated attacker who can reach the dev server to read arbitrary files on the host system. This vulnerability is fixed in 2.1.8.

Exploits (1)

github WRITEUP

by alaeddine03 · poc

https://github.com/alaeddine03/CVE-Disclosures/tree/main/Tinacms/ CVE-2026-29066

View Code ZIP pw:eip

Nuclei Templates (1)

TinaCMS - Path Traversal

MEDIUMVERIFIEDby theamanrawat

Shodan: http.title:"TinaCMS"

FOFA: body="TinaCMS" || body="tinacms"

References (1)

[Vendor Advisory] https://github.com/tinacms/tinacms/security/advisories/GHSA-m48g-4wr2-j2h6

Scores

CVSS v3 6.2

EPSS 0.0622

EPSS Percentile 90.9%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

CWE

CWE-200 CWE-552

Status published

Products (1)

ssw/tinacms\/cli < 2.1.8

Published Mar 12, 2026

Tracked Since Mar 13, 2026