Platform
nodejs
Component
@tinacms/cli
Fixed in
2.1.9
2.1.8
CVE-2026-28793 describes a Path Traversal vulnerability discovered in the @tinacms/cli development server. This vulnerability allows attackers to potentially read and write arbitrary files on the server's filesystem, bypassing intended access controls. The vulnerability affects versions of @tinacms/cli prior to 2.1.8. A fix has been released in version 2.1.8.
The vulnerability lies in how the TinaCMS CLI handles user-controlled path segments within its media endpoints (e.g., /media/list/, /media/upload/, /media/*). The use of decodeURI() and path.join() without proper validation allows an attacker to craft malicious requests that resolve to paths outside the designated media directory. This could lead to unauthorized access to sensitive files, modification of system configurations, or even remote code execution if writable files are targeted. The potential impact is significant, as an attacker could compromise the entire development environment and potentially gain access to production data if the development environment shares resources with production.
This vulnerability was publicly disclosed on 2026-03-12. There are currently no known public exploits or active campaigns targeting this vulnerability. The EPSS score is likely to be medium, given the relatively straightforward nature of the path traversal and the potential for significant impact. Monitor security advisories and threat intelligence feeds for any updates.
Exploit Status
EPSS
0.02% (6% percentile)
CISA SSVC
The primary mitigation is to upgrade to @tinacms/cli version 2.1.8 or later, which includes the necessary fix. If upgrading immediately is not feasible, consider implementing a Web Application Firewall (WAF) rule to block requests containing path traversal attempts (e.g., ../ sequences). Additionally, restrict access to the development server to trusted networks and users. Thoroughly review the media directory permissions to ensure only authorized users have write access. Regularly scan the server for unusual file modifications.
Update the @tinacms/cli package to version 2.1.8 or higher. This corrects the path traversal vulnerability that allows for the reading, writing, and deleting of arbitrary files outside the configured media directory.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-28793 is a Path Traversal vulnerability affecting @tinacms/cli versions before 2.1.8, allowing attackers to read/write arbitrary files.
You are affected if you are using @tinacms/cli versions prior to 2.1.8. Check your installed version with npm list @tinacms/cli.
Upgrade to @tinacms/cli version 2.1.8 or later. Consider WAF rules as a temporary mitigation.
There are currently no known public exploits or active campaigns targeting this vulnerability, but it's crucial to apply the fix.
Refer to the official @tinacms/cli release notes and security advisories on their website or GitHub repository.
CVSS Vector
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.