CVE-2026-28792
CRITICALssw/tinacms/cli < 2.1.8 - Unauthenticated Path Traversal and Arbitrary File Write via CORS Misconfiguration
Title source: llmExploitation Summary
EIP tracks 1 public exploit for CVE-2026-28792. PoCs published by alaeddine03.
AI-analyzed exploit summary The repository describes a CVE-2026-28792 vulnerability in TinaCMS CLI dev server, detailing a CORS misconfiguration combined with path traversal that allows cross-origin file exfiltration. The attack requires tricking a developer into visiting a malicious site while the dev server is running.
Description
Tina is a headless content management system. Prior to 2.1.8 , the TinaCMS CLI dev server combines a permissive CORS configuration (Access-Control-Allow-Origin: *) with the path traversal vulnerability (previously reported) to enable a browser-based drive-by attack. A remote attacker can enumerate the filesystem, write arbitrary files, and delete arbitrary files on developer's machines by simply tricking them into visiting a malicious website while tinacms dev is running. This vulnerability is fixed in 2.1.8.
Exploits (1)
The repository describes a CVE-2026-28792 vulnerability in TinaCMS CLI dev server, detailing a CORS misconfiguration combined with path traversal that allows cross-origin file exfiltration. The attack requires tricking a developer into visiting a malicious site while the dev server is running.
References (1)
Scores
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H