GHSA-2vcc-5v34-9jc8
Suggest an improvement- Source
- https://github.com/advisories/GHSA-2vcc-5v34-9jc8
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-2vcc-5v34-9jc8/GHSA-2vcc-5v34-9jc8.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-2vcc-5v34-9jc8
- Aliases
-
- CVE-2026-55661
- Published
- 2026-06-18T13:07:05Z
- Modified
- 2026-06-18T13:16:12.470007548Z
- Severity
-
- 4.8 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N CVSS Calculator
- Summary
- TinaCMS rich-text (slatejson) rendering does not sanitize link/image URLs, allowing stored XSS via dangerous URL schemes
- Details
-
TinaCMS rich-text parsing and the default link/image renderers did not sanitize the
urlfield on Slate link/image nodes. Content containingjavascript:ordata:text/htmlURLs — including case-variant, whitespace-padded, and control-character-obfuscated forms — is rendered intohref/srcand executes when the content is viewed. Any actor able to author rich-text content (for example a lower-privileged editor, or imported/external content) can achieve stored XSS against editors and site viewers.Fixed in https://github.com/tinacms/tinacms/pull/7056 via a
sanitizeUrl()helper (case-insensitive, whitespace/control-character-normalized scheme allow-list) applied recursively to Slate trees at parse time and in the default rich-text rendering. - Database specific
{ "github_reviewed": true, "github_reviewed_at": "2026-06-18T13:07:05Z", "nvd_published_at": null, "severity": "MODERATE", "cwe_ids": [ "CWE-79", "CWE-87" ] }- References
Affected packages
npm / tinacms
Package
- Name
- tinacms
- View open source insights on deps.dev
- Purl
- pkg:npm/tinacms
npm / @tinacms/mdx
Package
- Name
- @tinacms/mdx
- View open source insights on deps.dev
- Purl
- pkg:npm/%40tinacms%2Fmdx