CVE Catalog

CVE-2026-54074

HighCVSS 7.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.17%

7th percentile — higher than 7% of all known CVEs

Summary

A Remote Code Execution vulnerability exists in @tinacms/cli prior to version 2.4.3 during the Forestry-to-Tina migration. The addVariablesToCode helper unsafely processes user-supplied label and name fields from .forestry/**/*.yml, allowing arbitrary JavaScript injection into the generated tina/templates.{ts,js} file.

Risk Assessment

An attacker can execute arbitrary code with the developer's privileges when running tinacms dev or tinacms build, potentially leading to data theft, malware installation, or further compromise of the development environment.

Recommendation

Upgrade @tinacms/cli to version 2.4.3 or later immediately. Ensure that Forestry source files are from a trusted source before migration.

Original NVD description (English source)

Tina is a headless content management system. @tinacms/cli versions prior to 2.4.3 contain a Remote Code Execution vulnerability in the Forestry-to-Tina migration command. The internal helper addVariablesToCode unquotes any value matching the marker "__TINA_INTERNAL__:::(.*?):::" inside the stringified collection JSON. User-supplied label and name fields from .forestry/**/*.yml are placed into that JSON without any sanitisation. An attacker who controls a Forestry-style project can therefore inject arbitrary JavaScript into the generated tina/templates.{ts,js} file. The injected code is written at module top level, so it executes the moment the developer runs tinacms dev or tinacms build, with the developer's privileges. This issue has been fixed in version 2.4.3.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS