CVE-2026-28793

HIGH

TinaCMS CLI <2.1.8 - Path Traversal

Title source: llm

Description

Tina is a headless content management system. Prior to 2.1.8, the TinaCMS CLI development server exposes media endpoints that are vulnerable to path traversal, allowing attackers to read and write arbitrary files on the filesystem outside the intended media directory. When running tinacms dev, the CLI starts a local HTTP server (default port 4001) exposing endpoints such as /media/list/*, /media/upload/*, and /media/*. These endpoints process user-controlled path segments using decodeURI() and path.join() without validating that the resolved path remains within the configured media directory. This vulnerability is fixed in 2.1.8.

Exploits (1)

github SUSPICIOUS

by alaeddine03 · poc

https://github.com/alaeddine03/CVE-Disclosures/tree/main/Tinacms/ CVE-2026-28793

View Code ZIP pw:eip

References (1)

[Vendor Advisory] https://github.com/tinacms/tinacms/security/advisories/GHSA-2f24-mg4x-534q

Scores

CVSS v3 8.4

EPSS 0.0003

EPSS Percentile 9.5%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-22

Status published

Products (1)

ssw/tinacms\/cli < 2.1.8

Published Mar 12, 2026

Tracked Since Mar 13, 2026