CVE-2026-55660
Received Received - Intake

Stored XSS in TinaCMS Content Management System

Vulnerability report for CVE-2026-55660, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-01

Last updated on: 2026-07-01

Assigner: GitHub, Inc.

Description

Tina is a headless content management system. In versions prior to @tinacms/app 2.5.6 and tinacms 3.9.3, cross-origin postMessage handlers and a rich-text URL-sanitization bypass enable stored XSS and session takeover. The library registers window message listeners β€” the useTina overlay handler, the OAuth authentication popup handler, and the admin↔preview iframe GraphQL reducer β€” that act on event.data without verifying event.origin or event.source and post messages using non-specific target origins, while insufficient URL sanitization in rich-text content allows malicious URLs to persist and execute. A page the victim visits (or a window in an opener/iframe relationship with a Tina admin) can forge messages to drive the editor, inject preview content, or observe/forge the OAuth popup channel to take over an authenticated editing session. This issue has been fixed in versions @tinacms/app 2.5.6 and tinacms 3.9.3.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-01
Last Modified
2026-07-01
Generated
2026-07-02
AI Q&A
2026-07-02
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
tinacms app to 2.5.6 (exc)
tinacms tinacms to 3.9.3 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-346 The product does not properly verify that the source of data or communication is valid.
CWE-601 The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-940 The product establishes a communication channel to handle an incoming request that has been initiated by an actor, but it does not properly verify that the request is coming from the expected origin.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability affects Tina, a headless content management system, in versions prior to @tinacms/app 2.5.6 and tinacms 3.9.3. It involves cross-origin postMessage handlers and a rich-text URL-sanitization bypass that enable stored cross-site scripting (XSS) and session takeover.

The issue arises because the library registers window message listeners that act on event.data without verifying the origin or source of the message, and it posts messages using non-specific target origins. Additionally, insufficient URL sanitization in rich-text content allows malicious URLs to persist and execute.

An attacker can exploit this by forging messages to manipulate the editor, inject preview content, or interfere with the OAuth popup channel, potentially taking over an authenticated editing session.

This vulnerability has been fixed in versions @tinacms/app 2.5.6 and tinacms 3.9.3.

Impact Analysis

This vulnerability can lead to stored cross-site scripting (XSS) attacks and session takeover.

An attacker can manipulate the content management system's editor, inject malicious preview content, or hijack the OAuth authentication popup channel.

As a result, an attacker may gain unauthorized access to an authenticated editing session, potentially allowing them to modify content, steal sensitive information, or perform actions on behalf of the legitimate user.

Mitigation Strategies

To mitigate this vulnerability, upgrade Tina CMS to versions @tinacms/app 2.5.6 or later and tinacms 3.9.3 or later, where the issue has been fixed.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-55660. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart