Plattform
nodejs
Komponente
@tinacms/cli
Behoben in
2.1.9
2.1.8
CVE-2026-28793 describes a Path Traversal vulnerability discovered in the @tinacms/cli development server. This vulnerability allows attackers to potentially read and write arbitrary files on the server's filesystem, bypassing intended access controls. The vulnerability affects versions of @tinacms/cli prior to 2.1.8. A fix has been released in version 2.1.8.
The vulnerability lies in how the TinaCMS CLI handles user-controlled path segments within its media endpoints (e.g., /media/list/, /media/upload/, /media/*). The use of decodeURI() and path.join() without proper validation allows an attacker to craft malicious requests that resolve to paths outside the designated media directory. This could lead to unauthorized access to sensitive files, modification of system configurations, or even remote code execution if writable files are targeted. The potential impact is significant, as an attacker could compromise the entire development environment and potentially gain access to production data if the development environment shares resources with production.
This vulnerability was publicly disclosed on 2026-03-12. There are currently no known public exploits or active campaigns targeting this vulnerability. The EPSS score is likely to be medium, given the relatively straightforward nature of the path traversal and the potential for significant impact. Monitor security advisories and threat intelligence feeds for any updates.
Developers and DevOps teams using @tinacms/cli for content management projects are at risk. Specifically, those running older versions of the CLI in development environments are particularly vulnerable, as these environments often have looser security controls than production systems. Shared hosting environments where multiple developers share the same server could also be affected.
• nodejs / server:
# Check for vulnerable @tinacms/cli versions
npm list @tinacms/cli• nodejs / server:
# Monitor access logs for suspicious requests containing '..' sequences
grep "../" /var/log/nginx/access.log• generic web:
# Attempt path traversal via curl
curl http://localhost:4001/media/../../../../etc/passwddisclosure
Exploit-Status
EPSS
0.02% (6% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation is to upgrade to @tinacms/cli version 2.1.8 or later, which includes the necessary fix. If upgrading immediately is not feasible, consider implementing a Web Application Firewall (WAF) rule to block requests containing path traversal attempts (e.g., ../ sequences). Additionally, restrict access to the development server to trusted networks and users. Thoroughly review the media directory permissions to ensure only authorized users have write access. Regularly scan the server for unusual file modifications.
Actualice el paquete @tinacms/cli a la versión 2.1.8 o superior. Esto corrige la vulnerabilidad de path traversal que permite la lectura, escritura y eliminación de archivos arbitrarios fuera del directorio de medios configurado.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-28793 is a Path Traversal vulnerability affecting @tinacms/cli versions before 2.1.8, allowing attackers to read/write arbitrary files.
You are affected if you are using @tinacms/cli versions prior to 2.1.8. Check your installed version with npm list @tinacms/cli.
Upgrade to @tinacms/cli version 2.1.8 or later. Consider WAF rules as a temporary mitigation.
There are currently no known public exploits or active campaigns targeting this vulnerability, but it's crucial to apply the fix.
Refer to the official @tinacms/cli release notes and security advisories on their website or GitHub repository.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.