CVE-2026-28792
CRITICAL
GHSA-8pw3-9m7f-q734
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Lifecycle Timeline
4Tags
Description
Tina is a headless content management system. Prior to 2.1.8 , the TinaCMS CLI dev server combines a permissive CORS configuration (Access-Control-Allow-Origin: *) with the path traversal vulnerability (previously reported) to enable a browser-based drive-by attack. A remote attacker can enumerate the filesystem, write arbitrary files, and delete arbitrary files on developer's machines by simply tricking them into visiting a malicious website while tinacms dev is running. This vulnerability is fixed in 2.1.8.
Analysis
TinaCMS CLI dev server combines a permissive CORS policy (Access-Control-Allow-Origin: *) with path traversal to enable drive-by attacks. A remote attacker can enumerate, write, and delete files on a developer's machine simply by having them visit a malicious webpage. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Notify all development teams using TinaCMS to cease using the CLI dev server and switch to alternative development workflows; document affected developer machines. Within 7 days: Conduct forensic review of developer machines for unauthorized file modifications or deletions; audit git commit history for anomalies. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today