๐Ÿ” CVE Alert

CVE-2026-55661

UNKNOWN 0.0

TinaCMS rich-text (slatejson) rendering does not sanitize link/image URLs, allowing stored XSS via dangerous URL schemes

CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th

Tina is a headless content management system. In versions prior to @tinacms/mdx 2.1.7 and tinacms 3.9.3, rich-text parsing and the default link/image renderers did not sanitize the url field on Slate link/image nodes. Content containing javascript: or data:text/html URLs โ€” including case-variant, whitespace-padded, and control-character-obfuscated forms โ€” is rendered into href/src and executes when the content is viewed. Any actor able to author rich-text content (for example a lower-privileged editor, or imported/external content) can achieve stored XSS against editors and site viewers. This issue is fixed in versions @tinacms/mdx 2.1.7 and tinacms 3.9.3.

CWE CWE-79 CWE-87
Vendor tinacms
Product tinacms
Published Jul 1, 2026
Stay Ahead of the Next One

Get instant alerts for tinacms tinacms

Be the first to know when new unknown vulnerabilities affecting tinacms tinacms are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

tinacms / tinacms
< 3.9.3
tinacms / @tinacms/mdx
< 2.1.7

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/tinacms/tinacms/security/advisories/GHSA-2vcc-5v34-9jc8 github.com: https://github.com/tinacms/tinacms/pull/7056