CVE-2026-28791Path Traversal in Tinacms

CWE-22Path Traversal5 documents5 sources
Severity
7.4HIGHNVD
EPSS
0.1%
top 75.41%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
TinacmsSSW Tinacms CLI
Timeline
PublishedMar 12

Description

Tina is a headless content management system. Prior to 2.1.7, a path traversal vulnerability exists in the TinaCMS development server's media upload handler. The code at media.ts joins user-controlled path segments using path.join() without validating that the resulting path stays within the intended media directory. This allows writing files to arbitrary locations on the filesystem. This vulnerability is fixed in 2.1.7.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:HExploitability: 2.2 | Impact: 5.2

Affected Packages3 packages

CVEListV5tinacms/tinacms< 2.1.7
NVDssw/tinacms_cli< 2.1.7
npmtinacms/tinacms< 2.1.7

🔴Vulnerability Details

3
GHSA
Tina: Path Traversal in Media Upload Handle2026-03-12
CVEList
Path Traversal in Media Upload Handle in Tina2026-03-12
OSV
Tina: Path Traversal in Media Upload Handle2026-03-12

🕵️Threat Intelligence

1
Wiz
CVE-2026-28791 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2026-28791 — Path Traversal in Tinacms | cvebase