Tinacms Cli
CVE-2026-28792
CRITICAL
Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionGitHub Advisory
Tina is a headless content management system. Prior to 2.1.8 , the TinaCMS CLI dev server combines a permissive CORS configuration (Access-Control-Allow-Origin: *) with the path traversal vulnerability (previously reported) to enable a browser-based drive-by attack. A remote attacker can enumerate the filesystem, write arbitrary files, and delete arbitrary files on developer's machines by simply tricking them into visiting a malicious website while tinacms dev is running. This vulnerability is fixed in 2.1.8.
AnalysisAI
TinaCMS CLI dev server combines a permissive CORS policy (Access-Control-Allow-Origin: *) with path traversal to enable drive-by attacks. A remote attacker can enumerate, write, and delete files on a developer's machine simply by having them visit a malicious webpage. PoC available.
Technical ContextAI
The TinaCMS CLI dev server sets Access-Control-Allow-Origin: * (CWE-22 path traversal combined with CORS misconfiguration). This allows any website to make cross-origin requests to the developer's local Tina server. Combined with path traversal, an attacker's website can silently enumerate the filesystem, inject backdoors into source code, or delete files.
RemediationAI
Upgrade to TinaCMS 2.1.8 or later. Restrict dev server to localhost binding. Use a browser profile without other tabs when running dev servers.
More in Tinacms Cli
View allHigh severity vulnerability in TinaCMS. The TinaCMS CLI development server exposes media endpoints that are vulnerable t
Remote code execution in TinaCMS affects versions prior to 3.1.1, @tinacms/cli before 2.0.4, and @tinacms/graphql before
Medium severity vulnerability in TinaCMS. The TinaCMS CLI dev server configures Vite with `server.fs.strict: false`, whi
High severity vulnerability in TinaCMS. ## Affected Package
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-8pw3-9m7f-q734