Path Traversal Vulnerability in TinaCMS by Tina
CVE-2026-28793

8.4HIGH

Key Information:

Vendor

@tinacms

Status
Vendor
CVE Published:
12 March 2026

What is CVE-2026-28793?

TinaCMS, a popular headless content management system, prior to version 2.1.8, is vulnerable to a path traversal flaw through its media endpoints. When running the TinaCMS development server, critical endpoints are exposed without adequate path validation, enabling attackers to exploit this oversight. Specifically, the endpoints allow users to read and write arbitrary files outside the defined media directory, posing significant security risks. This issue arises from improper handling of user-controlled path segments, highlighting the necessity for robust input validation. The vulnerability has been addressed in version 2.1.8.

Affected Version(s)

cli < 2.1.8

References

CVSS V3.1

Score:
8.4
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.