CVE-2026-24125

{"id": "CVE-2026-24125", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 3.4, "exploitabilityScore": 2.8}]}, "published": "2026-03-12T17:16:39.233", "references": [{"url": "https://github.com/tinacms/tinacms/security/advisories/GHSA-2238-xc5r-v9hj", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-22"}]}], "descriptions": [{"lang": "en", "value": "Tina is a headless content management system. Prior to 2.1.2, TinaCMS allows users to create, update, and delete content documents using relative file paths (relativePath, newRelativePath) via GraphQL mutations. Under certain conditions, these paths are combined with the collection path using path.join() without validating that the resolved path remains within the collection root directory. Because path.join() does not prevent directory traversal, paths containing ../ sequences can escape the intended directory boundary. This vulnerability is fixed in 2.1.2."}, {"lang": "es", "value": "Tina es un sistema de gesti\u00f3n de contenido sin interfaz. Antes de la versi\u00f3n 2.1.2, TinaCMS permite a los usuarios crear, actualizar y eliminar documentos de contenido utilizando rutas de archivo relativas (relativePath, newRelativePath) a trav\u00e9s de mutaciones GraphQL. Bajo ciertas condiciones, estas rutas se combinan con la ruta de la colecci\u00f3n utilizando path.join() sin validar que la ruta resuelta permanezca dentro del directorio ra\u00edz de la colecci\u00f3n. Dado que path.join() no evita el salto de directorio, las rutas que contienen secuencias ../ pueden escapar del l\u00edmite de directorio previsto. Esta vulnerabilidad est\u00e1 corregida en la versi\u00f3n 2.1.2."}], "lastModified": "2026-03-13T19:22:04.353", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:ssw:tinacms\\/graphql:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "5CA145FF-AF13-4D53-8197-C2195D6B2462", "versionEndExcluding": "2.1.2"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}