Plateforme
nodejs
Composant
@tinacms/cli
Corrigé dans
2.1.9
2.1.8
CVE-2026-28792 is a critical Path Traversal vulnerability affecting the @tinacms/cli development server. This vulnerability allows a remote attacker to potentially compromise a developer's machine by exploiting permissive CORS configurations. The vulnerability impacts versions prior to 2.1.8 and can be resolved by upgrading to the patched version. A fix was released on an unspecified date.
The core of this vulnerability lies in the combination of a permissive CORS policy (allowing requests from any origin) and an existing path traversal flaw within the @tinacms/cli dev server. An attacker can craft a malicious website that, when visited by a developer running tinacms dev, will trigger cross-origin requests. These requests, due to the path traversal vulnerability, can then be used to enumerate files on the developer's filesystem. More critically, the attacker can write arbitrary files and even delete existing files, potentially leading to complete system compromise. This is a significant risk, as it bypasses traditional security boundaries and allows for remote code execution through file manipulation.
This vulnerability was publicly disclosed on 2026-03-12. The combination of permissive CORS and path traversal creates a relatively easy-to-exploit scenario. While no public proof-of-concept (PoC) has been observed as of this writing, the simplicity of the attack vector suggests a high probability of exploitation. It is not currently listed on the CISA KEV catalog.
Developers actively using the @tinacms/cli package for content management development are at significant risk. This includes those working on projects utilizing TinaCMS and running the tinacms dev server locally. The vulnerability is particularly concerning for developers who frequently visit untrusted websites or work in environments with limited security awareness.
• nodejs / supply-chain:
npm audit @tinacms/cli• nodejs / supply-chain:
yarn audit @tinacms/cli• generic web: Check for unusual file modifications or deletions on developer machines, particularly in directories accessible by the tinacms dev process.
disclosure
Statut de l'Exploit
EPSS
0.28% (percentile 51%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2026-28792 is to immediately upgrade the @tinacms/cli package to version 2.1.8 or later. Until the upgrade is possible, developers should avoid running tinacms dev on machines containing sensitive data. As a temporary workaround, consider implementing stricter CORS policies within the TinaCMS configuration to limit allowed origins. While this doesn't directly address the path traversal, it reduces the attack surface. After upgrading, verify the fix by attempting to access files outside the intended directory via a browser while the dev server is running; access should be denied.
Mettez à jour le paquet @tinacms/cli à la version 2.1.8 ou supérieure. Cela corrige la vulnérabilité de traversal de chemin et la configuration CORS permissive qui permettent l'exfiltration de fichiers. Exécutez `npm install @tinacms/cli@latest` ou `yarn add @tinacms/cli@latest` pour mettre à jour.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2026-28792 is a critical vulnerability in @tinacms/cli allowing attackers to read, write, and delete files on developer machines via a malicious website due to permissive CORS and path traversal.
You are affected if you are using @tinacms/cli versions prior to 2.1.8 and running the tinacms dev server.
Upgrade to @tinacms/cli version 2.1.8 or later. As a temporary workaround, restrict CORS origins.
While no active exploitation has been confirmed, the vulnerability's ease of exploitation suggests a high probability of future attacks.
Refer to the official @tinacms/cli release notes and security advisories on their website or GitHub repository.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.