CVE-2026-33949

Name of the Vulnerable Software and Affected Versions Tina versions prior to 2.2.2

Description A path traversal vulnerability exists in @tinacms/graphql, allowing unauthenticated users to write and overwrite arbitrary files within the project root. This is achieved by manipulating the relativePath parameter in GraphQL mutations. The impact includes the ability to replace critical server configuration files and potentially execute arbitrary commands by sabotaging build scripts. The vulnerability stems from insufficient path validation in the getValidatedPath function, which fails to correctly handle backslashes as directory separators on non-Windows platforms. An attacker can craft a malicious path, such as x......package.json, to bypass validation and traverse the file system. The affected code areas include the assertWithinBase function in filesystem.ts and the getValidatedPath function in resolver/index.ts.

Recommendations Update to version 2.2.2 or later.