CVE-2026-34603

High

Published: 01 April 2026

Published

01 April 2026

Modified

07 April 2026

KEV Added

—

Patch

—

CVSS Score 7.1 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L

EPSS Score 0.0009 24.8th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-34603 is a high-severity Path Traversal (CWE-22) vulnerability in Ssw Tinacms\/Cli. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 24.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 3 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly addresses the inadequate lexical path validation in @tinacms/cli dev media routes by requiring comprehensive input validation that resolves symlinks and junctions to block traversal to out-of-root locations.

SI-2 Flaw Remediation good match

prevent

Ensures timely flaw remediation through patching to Tina version 2.2.2, which fixes the symlink/junction path traversal vulnerability.

AC-3 Access Enforcement partial match

prevent

Enforces strict access controls on filesystem resources to restrict low-privilege users from performing out-of-root listing, write, and delete operations even if path traversal is attempted.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1083 File and Directory Discovery Discovery

Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.

attack.mitre.org →

T1105 Ingress Tool Transfer Command And Control

Adversaries may transfer tools or other files from an external system into a compromised environment.

attack.mitre.org →

T1485 Data Destruction Impact

Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.

attack.mitre.org →

Why these techniques?

Path traversal in public-facing CMS directly enables T1190 exploitation and facilitates T1083 (out-of-root listing), T1105 (arbitrary writes for tool ingress), and T1485 (deletes for destruction).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

Tina is a headless content management system. Prior to version 2.2.2, @tinacms/cli recently added lexical path-traversal checks to the dev media routes, but the implementation still validates only the path string and does not resolve symlink or junction targets. If…

a link already exists under the media root, Tina accepts a path like pivot/written-from-media.txt as "inside" the media directory and then performs real filesystem operations through that link target. This allows out-of-root media listing and write access, and the same root cause also affects delete. This issue has been patched in version 2.2.2.

Deeper analysisAI

CVE-2026-34603 is a path traversal vulnerability (CWE-22, CWE-59) in the @tinacms/cli component of Tina, a headless content management system. Prior to version 2.2.2, lexical path-traversal checks were added to the dev media routes, but these only validate the path string without resolving symlink or junction targets. If a symlink or junction already exists under the media root, Tina treats paths like "pivot/written-from-media.txt" as valid within the media directory, enabling real filesystem operations through the link target. This affects media listing, write, and delete operations, with a CVSS v3.1 base score of 7.1 (AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L).

An attacker with low privileges (PR:L) can exploit this over the network (AV:N), though it requires high attack complexity (AC:H) such as pre-existing symlinks or junctions under the media root. No user interaction is needed (UI:N). Successful exploitation grants high confidentiality impact via out-of-root media listing, high integrity impact through arbitrary write and delete operations outside the intended media directory, and low availability impact.

The issue is addressed in Tina version 2.2.2, as detailed in the GitHub security advisory (GHSA-g87c-r2jp-293w) and the patching commit (f124eabaca10dac9a4d765c9e4135813c4830955). Security practitioners should upgrade to version 2.2.2 or later to mitigate the vulnerability.

Details

CWE(s): CWE-22 CWE-59

Affected Products

ssw

tinacms\/cli

≤ 2.2.1

CVEs Like This One

CVE-2026-28791Same product: Ssw Tinacms\/Cli

CVE-2026-28793Same product: Ssw Tinacms\/Cli

CVE-2026-28792Same product: Ssw Tinacms\/Cli

CVE-2026-29066Same product: Ssw Tinacms\/Cli

CVE-2026-34604Same vendor: Ssw

CVE-2025-68278Same product: Ssw Tinacms\/Cli

CVE-2026-33949Same vendor: Ssw

CVE-2024-12905Shared CWE-22, CWE-59

CVE-2026-33748Shared CWE-22, CWE-59

CVE-2024-57728Shared CWE-22, CWE-59

References

https://github.com/tinacms/tinacms/commit/f124eabaca10dac9a4d765c9e4135813c4830955
Patch · security-advisories@github.com
https://github.com/tinacms/tinacms/security/advisories/GHSA-g87c-r2jp-293w
Vendor Advisory · security-advisories@github.com
https://github.com/tinacms/tinacms/security/advisories/GHSA-g87c-r2jp-293w
Vendor Advisory · 134c704f-9b21-4f2e-91b3-4a467353bcc0