Plattform
nodejs
Komponente
tinacms
Behoben in
2.1.8
2.1.7
A path traversal vulnerability has been identified in the @tinacms/cli package, specifically within the development server's media upload handler. This flaw (CWE-22) allows attackers to manipulate file paths, potentially writing files outside the intended media directory. The vulnerability affects versions up to 2.0.5 and is resolved in version 2.1.7. Users are advised to upgrade immediately to mitigate the risk.
The core of the vulnerability lies in the media.ts file, where user-supplied path segments are joined using path.join() without proper validation. This lack of validation allows an attacker to craft malicious requests that include path traversal sequences (e.g., ../..) to navigate outside the designated media directory. Successful exploitation could enable an attacker to overwrite critical system files, inject malicious code, or compromise the entire development environment. The potential impact extends beyond simple file modification; depending on the server configuration and permissions, an attacker could gain remote code execution capabilities, effectively taking control of the server.
This vulnerability was publicly disclosed on 2026-03-12. There are currently no known public proof-of-concept exploits, but the ease of exploitation makes it a potential target. The vulnerability's impact is considered medium probability due to the need for a controlled development environment and the potential for detection by security tools. It is not currently listed on the CISA KEV catalog.
Development teams utilizing @tinacms/cli for content management system development are at immediate risk. Specifically, those using versions 2.0.5 or earlier, and those running the development server in environments with inadequate file system permissions, are particularly vulnerable. Shared hosting environments where the development server might be accessible from the public internet are also at heightened risk.
• nodejs / server:
npm list @tinacms/cli• nodejs / server:
grep -r "path.join()" packages/@tinacms/cli/src/next/commands/dev-command/server/media.ts• generic web:
Inspect media upload endpoints for unusual file paths in request parameters. Monitor access logs for requests containing path traversal sequences (e.g., ../).
disclosure
Exploit-Status
EPSS
0.08% (23% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation is to upgrade to @tinacms/cli version 2.1.7 or later, which includes the necessary fix to validate file paths. If an immediate upgrade is not feasible, consider implementing a Web Application Firewall (WAF) rule to filter requests containing path traversal sequences. Specifically, block requests containing ../ patterns in the file upload path. Additionally, restrict file upload permissions to the minimum necessary to prevent attackers from writing to sensitive directories. After upgrading, verify the fix by attempting to upload a file to a location outside the intended media directory; the upload should be rejected.
Actualice TinaCMS a la versión 2.1.7 o superior. Esta versión corrige la vulnerabilidad de path traversal en el manejo de la carga de medios.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-28791 is a Path Traversal vulnerability in the @tinacms/cli package, allowing attackers to write files outside the intended media directory.
You are affected if you are using @tinacms/cli versions 2.0.5 or earlier.
Upgrade to @tinacms/cli version 2.1.7 or later. Implement input validation as a temporary workaround.
There are currently no reports of active exploitation, but the vulnerability's ease of exploitation suggests a potential for future attacks.
Refer to the official @tinacms/cli release notes and security advisories on their website or GitHub repository.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.