CVE-2026-28792
published 2026-03-12CVE-2026-28792: Tina is a headless content management system. Prior to 2.1.8 , the TinaCMS CLI dev server combines a permissive CORS configuration…
PriorityP261critical9.6CVSS 3.1
AVNACLPRNUIRSCCHIHAH
EPSS
0.53%
41.0th percentile
Tina is a headless content management system. Prior to 2.1.8 , the TinaCMS CLI dev server combines a permissive CORS configuration (Access-Control-Allow-Origin: *) with the path traversal vulnerability (previously reported) to enable a browser-based drive-by attack. A remote attacker can enumerate the filesystem, write arbitrary files, and delete arbitrary files on developer's machines by simply tricking them into visiting a malicious website while tinacms dev is running. This vulnerability is fixed in 2.1.8.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ssw | tinacms_cli | < 2.1.8 | 2.1.8 |
| tinacms | cli | < 2.1.8 | 2.1.8 |
| tinacms | cli | >= 0 < 2.1.8 | 2.1.8 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
TinaCMS CLI Dev Server Vulnerable to Cross-Origin File Exfiltration via CORS Misconfiguration + Path Traversal in TinaCMS
ghsa·2026-03-12
CVE-2026-28792 [CRITICAL] CWE-22 TinaCMS CLI Dev Server Vulnerable to Cross-Origin File Exfiltration via CORS Misconfiguration + Path Traversal in TinaCMS
TinaCMS CLI Dev Server Vulnerable to Cross-Origin File Exfiltration via CORS Misconfiguration + Path Traversal in TinaCMS
## Summary
The TinaCMS CLI dev server combines a permissive CORS configuration (Access-Control-Allow-Origin: *) with the path traversal vulnerability (previously reported) to enable a browser-based drive-by attack. A remote attacker can enumerate the filesystem, write arbitrary files, and delete arbitrary files on developer's machines by simply tricking them into visiting a malicious website while tinacms dev is running.
## Details
The TinaCMS dev server sets permissive CORS headers that allow **any origin** to make cross-origin requests:
- packages/@tinacms/cli/src/server/server.ts:
```
app.use(cors());
```
- packages/@tinacms/cli/src/next/vite/plugins.ts:
```
serv
OSV
TinaCMS CLI Dev Server Vulnerable to Cross-Origin File Exfiltration via CORS Misconfiguration + Path Traversal in TinaCMS
osv·2026-03-12
CVE-2026-28792 [CRITICAL] TinaCMS CLI Dev Server Vulnerable to Cross-Origin File Exfiltration via CORS Misconfiguration + Path Traversal in TinaCMS
TinaCMS CLI Dev Server Vulnerable to Cross-Origin File Exfiltration via CORS Misconfiguration + Path Traversal in TinaCMS
## Summary
The TinaCMS CLI dev server combines a permissive CORS configuration (Access-Control-Allow-Origin: *) with the path traversal vulnerability (previously reported) to enable a browser-based drive-by attack. A remote attacker can enumerate the filesystem, write arbitrary files, and delete arbitrary files on developer's machines by simply tricking them into visiting a malicious website while tinacms dev is running.
## Details
The TinaCMS dev server sets permissive CORS headers that allow **any origin** to make cross-origin requests:
- packages/@tinacms/cli/src/server/server.ts:
```
app.use(cors());
```
- packages/@tinacms/cli/src/next/vite/plugins.ts:
```
serv
No detection rules found.
No public exploits indexed.
2026-03-12
Published