CVE-2026-28792

Tina is a headless content management system. Prior to 2.1.8 , the TinaCMS CLI dev server combines a permissive CORS configuration (Access-Control-Allow-Origin: *) with the path traversal vulnerability (previously reported) to enable a browser-based drive-by attack. A remote attacker can enumerate the filesystem, write arbitrary files, and delete arbitrary files on developer's machines by simply tricking them into visiting a malicious website while tinacms dev is running. This vulnerability is fixed in 2.1.8.

CVSS v3 9.6 CRITICAL

9.6^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 2.8 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://github.com/tinacms/tinacms/security/advisories/GHSA-8pw3-9m7f-q734	Exploit Vendor Advisory
https://github.com/tinacms/tinacms/security/advisories/GHSA-8pw3-9m7f-q734	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:ssw:tinacms\/cli:*:*:*:*:*:node.js:*:*

History

No history.

Information

Published : 2026-03-12 17:16

Updated : 2026-03-13 19:54

NVD link : CVE-2026-28792

Mitre link : CVE-2026-28792

CVE.ORG link : CVE-2026-28792

JSON object : View

Products Affected

ssw

tinacms\/cli

CWE

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-942

Permissive Cross-domain Security Policy with Untrusted Domains

{"id": "CVE-2026-28792", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.6, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 2.8}]}, "published": "2026-03-12T17:16:50.387", "references": [{"url": "https://github.com/tinacms/tinacms/security/advisories/GHSA-8pw3-9m7f-q734", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/tinacms/tinacms/security/advisories/GHSA-8pw3-9m7f-q734", "tags": ["Exploit", "Vendor Advisory"], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-22"}, {"lang": "en", "value": "CWE-942"}]}], "descriptions": [{"lang": "en", "value": "Tina is a headless content management system. Prior to 2.1.8 , the TinaCMS CLI dev server combines a permissive CORS configuration (Access-Control-Allow-Origin: *) with the path traversal vulnerability (previously reported) to enable a browser-based drive-by attack. A remote attacker can enumerate the filesystem, write arbitrary files, and delete arbitrary files on developer's machines by simply tricking them into visiting a malicious website while tinacms dev is running. This vulnerability is fixed in 2.1.8."}, {"lang": "es", "value": "Tina es un sistema de gesti\u00f3n de contenido sin cabeza. Previo a la 2.1.8, el servidor de desarrollo CLI de TinaCMS combina una configuraci\u00f3n CORS permisiva (Access-Control-Allow-Origin: *) con la vulnerabilidad de salto de ruta (previamente reportada) para permitir un ataque drive-by basado en el navegador. Un atacante remoto puede enumerar el sistema de archivos, escribir archivos arbitrarios y eliminar archivos arbitrarios en las m\u00e1quinas de los desarrolladores simplemente enga\u00f1\u00e1ndolos para que visiten un sitio web malicioso mientras tinacms dev est\u00e1 en ejecuci\u00f3n. Esta vulnerabilidad est\u00e1 corregida en la 2.1.8."}], "lastModified": "2026-03-13T19:54:32.090", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:ssw:tinacms\\/cli:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "1CE10330-2151-486B-AF99-38DC3D2F8FA0", "versionEndExcluding": "2.1.8"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}