CVE-2026-34603

Name of the Vulnerable Software and Affected Versions Tina versions prior to 2.2.2

Description A path-traversal issue exists in Tina, a headless content management system, due to insufficient validation of file paths in the dev media routes. The implementation validates only the path string and does not resolve symlink or junction targets. If a link exists under the media root, Tina accepts a path as being inside the media directory and performs filesystem operations through that link target, allowing out-of-root media listing, write access, and potentially deletion. The issue stems from using lexical path validation instead of canonical filesystem checks. The API endpoints affected include /media/list/... for listing, /media/upload/... for writing, and /media/... with the DELETE method for deletion. The vulnerable parameters are user-controlled paths, such as pivot/written-from-media.txt, which can be manipulated to access files outside the intended media directory. The functions resolveWithinBase() and resolveStrictlyWithinBase() are used for path validation but do not account for symlinks or junctions.

Recommendations Update to Tina version 2.2.2 or later.