tinacms 0.0.0-64504b2-20260414052425

Direct Vulnerabilities

Known vulnerabilities in the tinacms package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
H Improper Verification of Source of a Communication Channel tinacms is a headless content management system with support for Markdown, MDX, JSON, YAML, and more. Affected versions of this package are vulnerable to Improper Verification of Source of a Communication Channel via improper validation of cross-origin messages in the `window` message listeners. An attacker can hijack authenticated editing sessions by sending crafted postMessage events from a malicious origin. How to fix Improper Verification of Source of a Communication Channel? Upgrade `tinacms` to version 3.9.3 or higher.	<3.9.3
M Cross-site Scripting (XSS) tinacms is a headless content management system with support for Markdown, MDX, JSON, YAML, and more. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the `url` field in Slate link or image nodes during rich-text rendering and parsing. An attacker can execute arbitrary JavaScript in the context of the user's browser by crafting content with malicious URL schemes such as `javascript:` or `data:text/html`, including obfuscated forms, which are rendered into `href` or `src` attributes when the content is viewed. How to fix Cross-site Scripting (XSS)? Upgrade `tinacms` to version 3.9.3 or higher.	<3.9.3
H Arbitrary Code Injection tinacms is a headless content management system with support for Markdown, MDX, JSON, YAML, and more. Affected versions of this package are vulnerable to Arbitrary Code Injection via the improper use of `gray-matter` package. An attacker can execute arbitrary code on the server by submitting specially crafted markdown files containing malicious JavaScript in the front matter. How to fix Arbitrary Code Injection? Upgrade `tinacms` to version 3.1.1 or higher.	<3.1.1

Vulnerability

Vulnerable Version

Improper Verification of Source of a Communication Channel

tinacms is a headless content management system with support for Markdown, MDX, JSON, YAML, and more.

Affected versions of this package are vulnerable to Improper Verification of Source of a Communication Channel via improper validation of cross-origin messages in the window message listeners. An attacker can hijack authenticated editing sessions by sending crafted postMessage events from a malicious origin.

How to fix Improper Verification of Source of a Communication Channel?

Upgrade tinacms to version 3.9.3 or higher.

<3.9.3

Cross-site Scripting (XSS)

tinacms is a headless content management system with support for Markdown, MDX, JSON, YAML, and more.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the url field in Slate link or image nodes during rich-text rendering and parsing. An attacker can execute arbitrary JavaScript in the context of the user's browser by crafting content with malicious URL schemes such as javascript: or data:text/html, including obfuscated forms, which are rendered into href or src attributes when the content is viewed.

How to fix Cross-site Scripting (XSS)?

Upgrade tinacms to version 3.9.3 or higher.

<3.9.3

Arbitrary Code Injection

tinacms is a headless content management system with support for Markdown, MDX, JSON, YAML, and more.

Affected versions of this package are vulnerable to Arbitrary Code Injection via the improper use of gray-matter package. An attacker can execute arbitrary code on the server by submitting specially crafted markdown files containing malicious JavaScript in the front matter.

How to fix Arbitrary Code Injection?

Upgrade tinacms to version 3.1.1 or higher.

<3.1.1

tinacms@0.0.0-64504b2-20260414052425

latest version

latest non vulnerable version

first published

latest version published

Direct Vulnerabilities

Fix vulnerabilities automatically