Path Traversal Vulnerability in TinaCMS by Tina
CVE-2026-28793
8.4HIGH
What is CVE-2026-28793?
TinaCMS, a popular headless content management system, prior to version 2.1.8, is vulnerable to a path traversal flaw through its media endpoints. When running the TinaCMS development server, critical endpoints are exposed without adequate path validation, enabling attackers to exploit this oversight. Specifically, the endpoints allow users to read and write arbitrary files outside the defined media directory, posing significant security risks. This issue arises from improper handling of user-controlled path segments, highlighting the necessity for robust input validation. The vulnerability has been addressed in version 2.1.8.
Affected Version(s)
cli < 2.1.8
