CVE-2026-33949HIGH 8.1EPSS p30.3%

CVE-2026-33949CVE-2026-33949

Description

Tina is a headless content management system. Prior to version 2.2.2, a path traversal vulnerability in @tinacms/graphql allows unauthenticated users to write and overwrite arbitrary files within the project root. This is achieved by manipulating the relativePath parameter in GraphQL mutations. The impact includes the ability to replace critical server configuration files and potentially execute arbitrary commands by sabotaging build script. This issue has been patched in version 2.2.2.

Scoring

CVSS 3.18.1 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
EPSS0.39% probability of exploitation · percentile 30.3% · 2026-06-19T12:03:05Z
Published2026-04-01
Last modified2026-04-07

Underlying weaknesses· 2

CWE-22CWE-73

References

  1. https://github.com/tinacms/tinacms/security/advisories/GHSA-v9p7-gf3q-h779

2

TypeTargetConfidenceTier
WeaknessImproper Limitation of a Pathname to a Restricted Directory ('Path Traversal')cwe-220%live
WeaknessExternal Control of File Name or Pathcwe-730%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-34604
CVE
CVE-2026-34603
CVE
CVE-2026-28793
CVE
CVE-2026-28792
CVE
CVE-2025-68278
CVE
CVE-2026-49738
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.