CVE-2026-55660

Description

TinaCMS registers window message listeners — the useTina overlay handler, the OAuth authentication popup handler, and the admin↔preview iframe GraphQL reducer — that act on event.data without verifying event.origin or event.source, and post messages using non-specific target origins. A page the victim visits (or a window in an opener/iframe relationship with a Tina admin) can forge messages to drive the editor, inject preview content, or observe/forge the OAuth popup channel to take over an authenticated editing session. Fixed in [#7056](https://github.com/tinacms/tinacms/pull/7056) by allow-listing trusted origins and verifying event.source (isFromAdmin, isFromTrustedPreviewOrigin), and by posting only to explicit target origins (never "*"). Note: the rich-text URL-sanitization issue previously bundled here has been split into its own advisory (GHSA-2vcc-5v34-9jc8) so each vulnerability can receive a distinct CVE.

How to fix CVE-2026-55660

To remediate CVE-2026-55660, upgrade the affected package to a fixed version below.

• —upgrade to 3.9.3 or later
• —upgrade to 2.5.6 or later

Is CVE-2026-55660 being exploited?

No exploitation signal available. Neither CISA KEV nor a current EPSS score has been published for CVE-2026-55660.

Affected packages (2)

• from 0, < 3.9.3
• from 0, < 2.5.6

CVSS scores

References (3)

• PATCHgithub.com/tinacms/tinacms
• WEBgithub.com/tinacms/tinacms/pull/7056
• WEBgithub.com/tinacms/tinacms/security/advisories/GHSA-g5qx-h5f3-mp2f