QwikSec

Security Database

CVE

CWE

Training

CVE-2025-68278

Published: Dec 18, 2025

Modified: Dec 18, 2025

PUBLISHED

Description

Tina is a headless content management system. In tinacms prior to version 3.1.1, tinacms uses the gray-matter package in an insecure way allowing attackers that can control the content of the processed markdown files, e.g., blog posts, to execute arbitrary code. tinacms version 3.1.1, @tinacms/cli version 2.0.4, and @tinacms/graphql version 2.0.3 contain a fix for the issue.

Vendor	Product	Versions
tinacms	tinacms	affected `tinacms < 3.1.1` affected `@tinacms/cli < 2.0.4` affected `@tinacms/graphql < 2.0.3`

Weaknesses (CWE)

References

https://github.com/tinacms/tinacms/security/advisories/GHSA-529f-9qwm-9628

x_refsource_CONFIRM

https://github.com/tinacms/tinacms/commit/fa7c27abef968e3f3a3e7d564f282bc566087569

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

CVE-2025-68278 - Security Vulnerability | QwikSec