GHSA-g5qx-h5f3-mp2f
Suggest an improvement- Source
- https://github.com/advisories/GHSA-g5qx-h5f3-mp2f
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-g5qx-h5f3-mp2f/GHSA-g5qx-h5f3-mp2f.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-g5qx-h5f3-mp2f
- Aliases
-
- CVE-2026-55660
- Published
- 2026-06-19T21:15:29Z
- Modified
- 2026-06-19T21:30:11.615426511Z
- Severity
-
- 8.5 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- TinaCMS: Cross-origin postMessage handlers and rich-text URL-sanitization bypass enable stored XSS and session takeover
- Details
-
TinaCMS registers window message listeners — the useTina overlay handler, the OAuth authentication popup handler, and the admin↔preview iframe GraphQL reducer — that act on event.data without verifying event.origin or event.source, and post messages using non-specific target origins. A page the victim visits (or a window in an opener/iframe relationship with a Tina admin) can forge messages to drive the editor, inject preview content, or observe/forge the OAuth popup channel to take over an authenticated editing session.
Fixed in #7056 by allow-listing trusted origins and verifying event.source (isFromAdmin, isFromTrustedPreviewOrigin), and by posting only to explicit target origins (never "*").
Note: the rich-text URL-sanitization issue previously bundled here has been split into its own advisory (GHSA-2vcc-5v34-9jc8) so each vulnerability can receive a distinct CVE.
- Database specific
{ "github_reviewed_at": "2026-06-19T21:15:29Z", "severity": "HIGH", "cwe_ids": [ "CWE-346", "CWE-601", "CWE-79", "CWE-940" ], "nvd_published_at": null, "github_reviewed": true }- References
Affected packages
npm / tinacms
Package
- Name
- tinacms
- View open source insights on deps.dev
- Purl
- pkg:npm/tinacms
npm / @tinacms/app
Package
- Name
- @tinacms/app
- View open source insights on deps.dev
- Purl
- pkg:npm/%40tinacms%2Fapp