RCE in Tinacms

CVE-2025-68278

Tina is a headless content management system. In tinacms prior to version 3.1.1, tinacms uses the gray-matter package in an insecure way allowing attackers that can control the content of the processed markdown files, e.g., blog posts, to…

Vulnerability class: RCE (Remote Code Execution)

EPSS: 0.001 (21.4th percentile) — read the EPSS interpretation.

Affected products

Tinacms — versions tinacms < 3.1.1, @tinacms/cli < 2.0.4, @tinacms/graphql < 2.0.3

Weakness classification (CWE)

CWE-94 — Code Injection

References

https://github.com/tinacms/tinacms/security/advisories/GHSA-529f-9qwm-9628 (x_refsource_CONFIRM)
https://github.com/tinacms/tinacms/commit/fa7c27abef968e3f3a3e7d564f282bc566087569 (x_refsource_MISC)