CVE-2026-54074: @tinacms/cli: Remote Code Execution in @tinacms/cli via Forestry migration — unsanitised __TINA_INTERNAL__ marker in user-controlled YAML labels
@tinacms/cli contains a Remote Code Execution vulnerability in its
Forestry-to-Tina migration command. The internal helper addVariablesToCode
unquotes any value matching the marker "__TINA_INTERNAL__:::(.*?):::"
inside the stringified collection JSON. User-supplied label and name
fields from .forestry/**/*.yml are placed into that JSON without any
sanitisation. An attacker who controls a Forestry-style project can therefore
inject arbitrary JavaScript into the generated tina/templates.{ts,js}
file. The injected code is written at module top level, so it executes
the moment the developer runs tinacms dev or tinacms build, with the
developer’s privileges.
References
- github.com/advisories/GHSA-4936-9hrh-qqpw
- github.com/tinacms/tinacms/commit/77665ae73dd4f9563d339535e76fa811a8abdfbb
- github.com/tinacms/tinacms/pull/7006
- github.com/tinacms/tinacms/releases/tag/@tinacms/cli@2.4.3
- github.com/tinacms/tinacms/security/advisories/GHSA-4936-9hrh-qqpw
- nvd.nist.gov/vuln/detail/CVE-2026-54074
Code Behaviors & Features
Detect and mitigate CVE-2026-54074 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →