XSS in Tinacms

CVE-2026-55660

Tina is a headless content management system. In versions prior to @tinacms/app 2.5.6 and tinacms 3.9.3, cross-origin postMessage handlers and a rich-text URL-sanitization bypass enable stored XSS and session takeover. The library register…

Vulnerability class: XSS (Cross-Site Scripting)

Affected products

Weakness classification (CWE)

References