{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33949", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-24T19:50:52.105Z", "datePublished": "2026-04-01T15:54:12.351Z", "dateUpdated": "2026-04-03T16:44:46.487Z"}, "containers": {"cna": {"title": "@tinacms/graphql has Path Traversal that leads to overwrite of arbitrary files", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-73", "lang": "en", "description": "CWE-73: External Control of File Name or Path", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/tinacms/tinacms/security/advisories/GHSA-v9p7-gf3q-h779", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/tinacms/tinacms/security/advisories/GHSA-v9p7-gf3q-h779"}], "affected": [{"vendor": "tinacms", "product": "tinacms", "versions": [{"version": "< 2.2.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-01T15:54:12.351Z"}, "descriptions": [{"lang": "en", "value": "Tina is a headless content management system. Prior to version 2.2.2, a path traversal vulnerability in @tinacms/graphql allows unauthenticated users to write and overwrite arbitrary files within the project root. This is achieved by manipulating the relativePath parameter in GraphQL mutations. The impact includes the ability to replace critical server configuration files and potentially execute arbitrary commands by sabotaging build script. This issue has been patched in version 2.2.2."}], "source": {"advisory": "GHSA-v9p7-gf3q-h779", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-03T16:44:36.092778Z", "id": "CVE-2026-33949", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T16:44:46.487Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33949", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-03T16:44:36.092778Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T16:44:42.991Z"}}], "cna": {"title": "@tinacms/graphql has Path Traversal that leads to overwrite of arbitrary files", "source": {"advisory": "GHSA-v9p7-gf3q-h779", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "tinacms", "product": "tinacms", "versions": [{"status": "affected", "version": "< 2.2.2"}]}], "references": [{"url": "https://github.com/tinacms/tinacms/security/advisories/GHSA-v9p7-gf3q-h779", "name": "https://github.com/tinacms/tinacms/security/advisories/GHSA-v9p7-gf3q-h779", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Tina is a headless content management system. Prior to version 2.2.2, a path traversal vulnerability in @tinacms/graphql allows unauthenticated users to write and overwrite arbitrary files within the project root. This is achieved by manipulating the relativePath parameter in GraphQL mutations. The impact includes the ability to replace critical server configuration files and potentially execute arbitrary commands by sabotaging build script. This issue has been patched in version 2.2.2."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-73", "description": "CWE-73: External Control of File Name or Path"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-01T15:54:12.351Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33949", "state": "PUBLISHED", "dateUpdated": "2026-04-03T16:44:46.487Z", "dateReserved": "2026-03-24T19:50:52.105Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-01T15:54:12.351Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ssw:tinacms\\/graphql:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "C7C5E716-5EA4-499D-B5C0-864632E2620D", "versionEndIncluding": "2.2.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Tina is a headless content management system. Prior to version 2.2.2, a path traversal vulnerability in @tinacms/graphql allows unauthenticated users to write and overwrite arbitrary files within the project root. This is achieved by manipulating the relativePath parameter in GraphQL mutations. The impact includes the ability to replace critical server configuration files and potentially execute arbitrary commands by sabotaging build script. This issue has been patched in version 2.2.2."}], "id": "CVE-2026-33949", "lastModified": "2026-04-07T19:17:35.867", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-01T17:28:39.507", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/tinacms/tinacms/security/advisories/GHSA-v9p7-gf3q-h779"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}, {"lang": "en", "value": "CWE-73"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.2.2)"}}], "enrichment": {"confidence": 89.0, "confidence_source": "matching", "scores": [{"score": 89.0, "source": "matching"}]}, "original": {"product": "tinacms", "source": "cna", "vendor": "tinacms"}, "product": "tinacms", "vendor": "tina"}], "analysis": {"en": {"generated_at": "2026-04-07T21:49:28.681692+00:00", "value": {"mitigation_remediation": ["Upgrade @tinacms/graphql to version 2.2.2 or later.", "Verify that the GraphQL endpoint is not publicly exposed to unauthenticated users.", "If an immediate update is not possible, restrict access to GraphQL mutations to authenticated users or block the relativePath parameter if feasible.", "Monitor the integrity of critical application files to detect unauthorized changes."], "summary": {"action": "Patch Immediately", "impact": "Arbitrary file overwrite that can lead to execution of malicious code"}, "threat_synthesis": {"affected_systems": "The vulnerable component is the @tinacms/graphql module used in Tina CMS, a headless content management system built on Node.js. Any installation of this package that is running a version earlier than 2.2.2 is affected. The flaw impacts any deployment that exposes the GraphQL endpoint of Tina CMS to unauthenticated traffic.", "description_and_impact": "A path traversal flaw in the @tinacms/graphql GraphQL API enables unauthenticated attackers to craft mutation requests that write or overwrite any file in the project root, potentially replacing critical configuration files or tampering build scripts to run arbitrary code. This weakness aligns with CWE\u201122 and CWE\u201173.", "risk_and_exploitability": "The CVSS score of 8.1 indicates high severity, while the EPSS score of < 1% reflects a currently low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires no authentication and relies on sending a crafted GraphQL mutation; thus the attack surface is wide but the impact is severe if achieved."}}}}, "created": "2026-04-02T07:48:55.448111+00:00", "updated": "2026-04-08T19:57:06.790637+00:00", "vendors": ["tina", "tina$PRODUCT$tinacms"]}