CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-54074

highCVSS 7.8covered by 1 sourcefirst seen 2026-07-01
Tina is a headless content management system. @tinacms/cli versions prior to 2.4.3 contain a Remote Code Execution vulnerability in the Forestry-to-Tina migration command. The internal helper addVariablesToCode unquotes any value matching the marker "__TINA_INTERNAL__:::(.*?):::" inside the stringified collection JSON. User-supplied label and name fields from .forestry/**/*.yml are placed into that JSON without any sanitisation. An attacker who controls a Forestry-style project can therefore inject arbitrary JavaScript into the generated tina/templates.{ts,js} file. The injected code is written at module top level, so it executes the moment the developer runs tinacms dev or tinacms build, with the developer's privileges. This issue has been fixed in version 2.4.3.

⚡ Watch CVE-2026-54074

Get an email if CVE-2026-54074 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Exploitation outlook

Advisory coverage (1)

External references

NVD record for CVE-2026-54074

CVE.org record

Embed the live status

CVE-2026-54074 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-54074 status](https://www.csirts.com/badge/CVE-2026-54074)](https://www.csirts.com/cve/CVE-2026-54074)