Platform
nodejs
Component
tinacms
Fixed in
2.1.8
2.1.7
A path traversal vulnerability has been identified in the @tinacms/cli package, specifically within the development server's media upload handler. This flaw (CWE-22) allows attackers to potentially write files outside of the intended media directory, leading to arbitrary file write capabilities. The vulnerability affects versions up to 2.0.5 and is resolved in version 2.1.7.
The core of the vulnerability lies in the media.ts file, where user-controlled path segments are joined using path.join() without proper validation. This lack of validation allows an attacker to craft malicious requests that manipulate the file path, enabling them to write files to arbitrary locations on the server's file system. Successful exploitation could lead to the modification or replacement of critical system files, potentially resulting in remote code execution and complete system compromise. The blast radius extends to any environment utilizing the vulnerable @tinacms/cli version for development, as the development server is often exposed during testing and debugging.
This vulnerability was publicly disclosed on 2026-03-12. No public proof-of-concept (PoC) code has been released at the time of writing, but the ease of exploitation suggests that a PoC is likely to emerge. The vulnerability is not currently listed on CISA KEV, and there are no reports of active exploitation campaigns. The CVSS score of 7.4 (HIGH) indicates a significant risk.
Exploit Status
EPSS
0.08% (23% percentile)
CISA SSVC
The primary mitigation is to immediately upgrade to @tinacms/cli version 2.1.7 or later. If an immediate upgrade is not feasible due to compatibility issues or breaking changes, consider implementing a temporary workaround by restricting file upload permissions within the media directory. Implement strict input validation on all user-provided file paths within the media upload handler to ensure they remain within the intended directory. Monitor file system activity for unexpected file creations or modifications within the media directory. After upgrading, confirm the fix by attempting a file upload with a crafted path traversal payload and verifying that the upload is rejected.
Update TinaCMS to version 2.1.7 or higher. This version fixes the path traversal vulnerability in the media upload handler.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-28791 is a Path Traversal vulnerability in the @tinacms/cli package, allowing attackers to write files outside the intended media directory.
You are affected if you are using @tinacms/cli versions 2.0.5 or earlier.
Upgrade to @tinacms/cli version 2.1.7 or later. Implement input validation as a temporary workaround.
There are currently no reports of active exploitation, but the vulnerability's ease of exploitation suggests a potential for future attacks.
Refer to the official @tinacms/cli release notes and security advisories on their website or GitHub repository.
CVSS Vector
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.