CVE-2026-28791

Tina is a headless content management system. Prior to 2.1.7, a path traversal vulnerability exists in the TinaCMS development server's media upload handler. The code at media.ts joins user-controlled path segments using path.join() without validating that the resulting path stays within the intended media directory. This allows writing files to arbitrary locations on the filesystem. This vulnerability is fixed in 2.1.7.

CVSS v3 7.4 HIGH

7.4^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.2 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/tinacms/tinacms/security/advisories/GHSA-5hxf-c7j4-279c	Exploit Vendor Advisory
https://github.com/tinacms/tinacms/security/advisories/GHSA-5hxf-c7j4-279c	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:ssw:tinacms\/cli:*:*:*:*:*:node.js:*:*

History

13 Mar 2026, 19:55

Type	Values Removed	Values Added
First Time		Ssw Ssw tinacms\/cli
CPE		cpe:2.3:a:ssw:tinacms\/cli::::::node.js::*
References	~~() https://github.com/tinacms/tinacms/security/advisories/GHSA-5hxf-c7j4-279c -~~	() https://github.com/tinacms/tinacms/security/advisories/GHSA-5hxf-c7j4-279c - Exploit, Vendor Advisory
Summary		(es) Tina es un sistema de gestión de contenidos sin cabeza. Antes de la 2.1.7, existe una vulnerabilidad de salto de ruta en el gestor de carga de medios del servidor de desarrollo de TinaCMS. El código en media.ts une segmentos de ruta controlados por el usuario usando path.join() sin validar que la ruta resultante permanezca dentro del directorio de medios previsto. Esto permite escribir archivos en ubicaciones arbitrarias en el sistema de archivos. Esta vulnerabilidad está corregida en la 2.1.7.

12 Mar 2026, 17:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-12 17:16

Updated : 2026-03-13 19:55

NVD link : CVE-2026-28791

Mitre link : CVE-2026-28791

CVE.ORG link : CVE-2026-28791

JSON object : View

Products Affected

ssw

tinacms\/cli

CWE

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

{"id": "CVE-2026-28791", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.4, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 5.2, "exploitabilityScore": 2.2}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.4, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 5.2, "exploitabilityScore": 2.2}]}, "published": "2026-03-12T17:16:50.237", "references": [{"url": "https://github.com/tinacms/tinacms/security/advisories/GHSA-5hxf-c7j4-279c", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/tinacms/tinacms/security/advisories/GHSA-5hxf-c7j4-279c", "tags": ["Exploit", "Vendor Advisory"], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-22"}]}], "descriptions": [{"lang": "en", "value": "Tina is a headless content management system. Prior to 2.1.7, a path traversal vulnerability exists in the TinaCMS development server's media upload handler. The code at media.ts joins user-controlled path segments using path.join() without validating that the resulting path stays within the intended media directory. This allows writing files to arbitrary locations on the filesystem. This vulnerability is fixed in 2.1.7."}, {"lang": "es", "value": "Tina es un sistema de gesti\u00f3n de contenidos sin cabeza. Antes de la 2.1.7, existe una vulnerabilidad de salto de ruta en el gestor de carga de medios del servidor de desarrollo de TinaCMS. El c\u00f3digo en media.ts une segmentos de ruta controlados por el usuario usando path.join() sin validar que la ruta resultante permanezca dentro del directorio de medios previsto. Esto permite escribir archivos en ubicaciones arbitrarias en el sistema de archivos. Esta vulnerabilidad est\u00e1 corregida en la 2.1.7."}], "lastModified": "2026-03-13T19:55:35.563", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:ssw:tinacms\\/cli:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "230CF05A-3446-4C32-9F67-1EF5E63B25B9", "versionEndExcluding": "2.1.7"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}