XSS in Tinacms
CVE-2026-55660
Tina is a headless content management system. In versions prior to @tinacms/app 2.5.6 and tinacms 3.9.3, cross-origin postMessage handlers and a rich-text URL-sanitization bypass enable stored XSS and session takeover. The library register…
Vulnerability class: XSS (Cross-Site Scripting)
Affected products
- Tinacms — versions < 3.9.3
- Tinacms @Tinacms/app — versions < 2.5.6
Weakness classification (CWE)
References
- security-advisories@github.com (x_refsource_MISC)
- security-advisories@github.com (x_refsource_CONFIRM)