CVE-2026-29066

MEDIUM NUCLEI

ssw/tinacms/cli < 2.1.8 - Unauthenticated Arbitrary File Read via Vite Dev Server Misconfiguration

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-29066. PoCs published by alaeddine03. A Nuclei detection template is also available.

AI-analyzed exploit summary The repository describes CVE-2026-29066, an arbitrary file read vulnerability in TinaCMS due to disabled Vite filesystem restrictions. The README provides a technical overview but lacks exploit code or detailed analysis.

Description

Tina is a headless content management system. Prior to 2.1.8, the TinaCMS CLI dev server configures Vite with server.fs.strict: false, which disables Vite's built-in filesystem access restriction. This allows any unauthenticated attacker who can reach the dev server to read arbitrary files on the host system. This vulnerability is fixed in 2.1.8.

Exploits (1)

github WRITEUP
by alaeddine03 · poc
https://github.com/alaeddine03/CVE-Disclosures/tree/main/Tinacms/ CVE-2026-29066

The repository describes CVE-2026-29066, an arbitrary file read vulnerability in TinaCMS due to disabled Vite filesystem restrictions. The README provides a technical overview but lacks exploit code or detailed analysis.

Classification
Writeup 90%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Theoretical
Target: TinaCMS CLI dev server
No auth needed
Prerequisites: Access to the TinaCMS dev server
devstral-2 · analyzed Apr 11, 2026 Full analysis →

Nuclei Templates (1)

TinaCMS - Path Traversal
MEDIUMVERIFIEDby theamanrawat
Shodan: http.title:"TinaCMS"
FOFA: body="TinaCMS" || body="tinacms"

References (1)

Core 1
Core References

Scores

CVSS v3 6.2
EPSS 0.0648
EPSS Percentile 91.3%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-200 CWE-552
Status published
Products (1)
ssw/tinacms\/cli < 2.1.8
Published Mar 12, 2026
Tracked Since Mar 13, 2026