{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-05-07T20:47:22.411","vulnerabilities":[{"cve":{"id":"CVE-2026-24125","sourceIdentifier":"security-advisories@github.com","published":"2026-03-12T17:16:39.233","lastModified":"2026-03-13T19:22:04.353","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Tina is a headless content management system. Prior to 2.1.2, TinaCMS allows users to create, update, and delete content documents using relative file paths (relativePath, newRelativePath) via GraphQL mutations. Under certain conditions, these paths are combined with the collection path using path.join() without validating that the resolved path remains within the collection root directory. Because path.join() does not prevent directory traversal, paths containing ../ sequences can escape the intended directory boundary. This vulnerability is fixed in 2.1.2."},{"lang":"es","value":"Tina es un sistema de gestión de contenido sin interfaz. Antes de la versión 2.1.2, TinaCMS permite a los usuarios crear, actualizar y eliminar documentos de contenido utilizando rutas de archivo relativas (relativePath, newRelativePath) a través de mutaciones GraphQL. Bajo ciertas condiciones, estas rutas se combinan con la ruta de la colección utilizando path.join() sin validar que la ruta resuelta permanezca dentro del directorio raíz de la colección. Dado que path.join() no evita el salto de directorio, las rutas que contienen secuencias ../ pueden escapar del límite de directorio previsto. Esta vulnerabilidad está corregida en la versión 2.1.2."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L","baseScore":6.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"LOW"},"exploitabilityScore":2.8,"impactScore":3.4}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-22"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:ssw:tinacms\\/graphql:*:*:*:*:*:node.js:*:*","versionEndExcluding":"2.1.2","matchCriteriaId":"5CA145FF-AF13-4D53-8197-C2195D6B2462"}]}]}],"references":[{"url":"https://github.com/tinacms/tinacms/security/advisories/GHSA-2238-xc5r-v9hj","source":"security-advisories@github.com","tags":["Exploit","Vendor Advisory"]}]}}]}