🔐 CVE Alert

CVE-2026-55660

UNKNOWN 0.0

TinaCMS: Cross-origin postMessage handlers and rich-text URL-sanitization bypass enable stored XSS and session takeover

CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th

Tina is a headless content management system. In versions prior to @tinacms/app 2.5.6 and tinacms 3.9.3, cross-origin postMessage handlers and a rich-text URL-sanitization bypass enable stored XSS and session takeover. The library registers window message listeners — the useTina overlay handler, the OAuth authentication popup handler, and the admin↔preview iframe GraphQL reducer — that act on event.data without verifying event.origin or event.source and post messages using non-specific target origins, while insufficient URL sanitization in rich-text content allows malicious URLs to persist and execute. A page the victim visits (or a window in an opener/iframe relationship with a Tina admin) can forge messages to drive the editor, inject preview content, or observe/forge the OAuth popup channel to take over an authenticated editing session. This issue has been fixed in versions @tinacms/app 2.5.6 and tinacms 3.9.3.

CWE CWE-79 CWE-346 CWE-601 CWE-940
Vendor tinacms
Product tinacms
Published Jul 1, 2026
Last Updated Jul 2, 2026
Stay Ahead of the Next One

Get instant alerts for tinacms tinacms

Be the first to know when new unknown vulnerabilities affecting tinacms tinacms are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

tinacms / tinacms
< 3.9.3
tinacms / @tinacms/app
< 2.5.6

References

NVD ↗ CVE.org ↗ EPSS Data ↗
github.com: https://github.com/tinacms/tinacms/security/advisories/GHSA-g5qx-h5f3-mp2f github.com: https://github.com/tinacms/tinacms/pull/7056