Skip to main content

Tinacms Cli CVE-2026-28792

CRITICAL
Path Traversal (CWE-22)
2026-03-12 security-advisories@github.com GHSA-8pw3-9m7f-q734
9.6
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.6 CRITICAL
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
PoC Detected
Mar 13, 2026 - 19:54 vuln.today
Public exploit code
Analysis Generated
Mar 12, 2026 - 19:57 vuln.today
CVE Published
Mar 12, 2026 - 17:16 nvd
CRITICAL 9.6

DescriptionGitHub Advisory

Tina is a headless content management system. Prior to 2.1.8 , the TinaCMS CLI dev server combines a permissive CORS configuration (Access-Control-Allow-Origin: *) with the path traversal vulnerability (previously reported) to enable a browser-based drive-by attack. A remote attacker can enumerate the filesystem, write arbitrary files, and delete arbitrary files on developer's machines by simply tricking them into visiting a malicious website while tinacms dev is running. This vulnerability is fixed in 2.1.8.

AnalysisAI

TinaCMS CLI dev server combines a permissive CORS policy (Access-Control-Allow-Origin: *) with path traversal to enable drive-by attacks. A remote attacker can enumerate, write, and delete files on a developer's machine simply by having them visit a malicious webpage. PoC available.

Technical ContextAI

The TinaCMS CLI dev server sets Access-Control-Allow-Origin: * (CWE-22 path traversal combined with CORS misconfiguration). This allows any website to make cross-origin requests to the developer's local Tina server. Combined with path traversal, an attacker's website can silently enumerate the filesystem, inject backdoors into source code, or delete files.

RemediationAI

Upgrade to TinaCMS 2.1.8 or later. Restrict dev server to localhost binding. Use a browser profile without other tabs when running dev servers.

Share

CVE-2026-28792 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy