What is CVE-2026-28791 — Path Traversal in @tinacms/cli?

CVE-2026-28791 is a Path Traversal vulnerability in the @tinacms/cli package, allowing attackers to write files outside the intended media directory.

Am I affected by CVE-2026-28791 in @tinacms/cli?

You are affected if you are using @tinacms/cli versions 2.0.5 or earlier.

How do I fix CVE-2026-28791 in @tinacms/cli?

Upgrade to @tinacms/cli version 2.1.7 or later. Implement input validation as a temporary workaround.

Is CVE-2026-28791 being actively exploited?

There are currently no reports of active exploitation, but the vulnerability's ease of exploitation suggests a potential for future attacks.

Where can I find the official @tinacms/cli advisory for CVE-2026-28791?

Refer to the official @tinacms/cli release notes and security advisories on their website or GitHub repository.

CVE-2026-28791 — Vulnerability Details

NEXTGUARD

Escanear grátis

CVE-2026-28791 — Vulnerability Details | NextGuard

Passos de Detecçãotraduzindo…

• nodejs / server:

  npm list @tinacms/cli

• nodejs / server:

  grep -r "path.join()" packages/@tinacms/cli/src/next/commands/dev-command/server/media.ts

• generic web: Inspect media upload endpoints for unusual file paths in request parameters. Monitor access logs for requests containing path traversal sequences (e.g., ../).

Tina: Path Traversal in Media Upload Handle

Impacto e Cenários de Ataquetraduzindo…

Contexto de Exploraçãotraduzindo…

Quem Está em Riscotraduzindo…

Passos de Detecçãotraduzindo…

Linha do Tempo do Ataque

Inteligência de Ameaças

Software Afetado

Classificação de Fraqueza (CWE)

Linha do tempo

Mitigação e Soluções Alternativastraduzindo…

Como corrigirtraduzindo…

Boletim de Segurança CVE

Perguntas frequentestraduzindo…

What is CVE-2026-28791 — Path Traversal in @tinacms/cli?

Am I affected by CVE-2026-28791 in @tinacms/cli?

How do I fix CVE-2026-28791 in @tinacms/cli?

Is CVE-2026-28791 being actively exploited?

Where can I find the official @tinacms/cli advisory for CVE-2026-28791?

Seu projeto está afetado?