CVE-2026-55661
Received Received - Intake

Stored XSS in Tina CMS Rich-Text Rendering

Vulnerability report for CVE-2026-55661, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-01

Last updated on: 2026-07-01

Assigner: GitHub, Inc.

Description

Tina is a headless content management system. In versions prior to @tinacms/mdx 2.1.7 and tinacms 3.9.3, rich-text parsing and the default link/image renderers did not sanitize the url field on Slate link/image nodes. Content containing javascript: or data:text/html URLs β€” including case-variant, whitespace-padded, and control-character-obfuscated forms β€” is rendered into href/src and executes when the content is viewed. Any actor able to author rich-text content (for example a lower-privileged editor, or imported/external content) can achieve stored XSS against editors and site viewers. This issue is fixed in versions @tinacms/mdx 2.1.7 and tinacms 3.9.3.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-01
Last Modified
2026-07-01
Generated
2026-07-02
AI Q&A
2026-07-02
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
tinacms mdx to 2.1.7 (exc)
tinacms tinacms to 3.9.3 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-87 The product does not neutralize or incorrectly neutralizes user-controlled input for alternate script syntax.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in Tina, a headless content management system, in versions prior to @tinacms/mdx 2.1.7 and tinacms 3.9.3. The issue is that the rich-text parsing and the default link/image renderers did not properly sanitize the URL field on Slate link/image nodes.

As a result, content containing javascript: or data:text/html URLsβ€”including obfuscated forms such as case variants, whitespace padding, and control charactersβ€”can be rendered into href or src attributes and executed when the content is viewed.

Any actor who can author rich-text content, such as a lower-privileged editor or imported/external content, can exploit this to achieve stored cross-site scripting (XSS) attacks against editors and site viewers.

This vulnerability was fixed in versions @tinacms/mdx 2.1.7 and tinacms 3.9.3.

Impact Analysis

This vulnerability can lead to stored cross-site scripting (XSS) attacks, where malicious scripts embedded in content are executed in the browsers of editors and site viewers.

Such attacks can result in unauthorized actions, data theft, session hijacking, or defacement of the website.

Because any user able to author rich-text content can exploit this, even lower-privileged users or imported content pose a risk.

Mitigation Strategies

To mitigate this vulnerability, upgrade the affected Tina CMS packages to the fixed versions: @tinacms/mdx to version 2.1.7 or later, and tinacms to version 3.9.3 or later.

This update ensures that the rich-text parsing and default link/image renderers properly sanitize the url field on Slate link/image nodes, preventing execution of malicious javascript: or data:text/html URLs.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-55661. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart