CVE-2026-28791

High CVSS: 7.4

Tina is a headless content management system. Prior to 2.1.7, a path traversal vulnerability exists in the TinaCMS development server's media upload handler. The code at media.ts joins user-controlled path segments using path.join() without validating that the resulting path stays within the intended media directory. This allows writing files to arbitrary locations on the filesystem. This vulnerability is fixed in 2.1.7.

Vendor

Ssw

Product

Tinacms\/cli

CWE

CWE-22

Yayın Tarihi

2026-03-12 17:16:50

Güncelleme

2026-03-13 19:55:35

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-22 Tinacms\/cli HIGH Ssw 2026

Referanslar

https://github.com/tinacms/tinacms/security/advisories/GHSA-5hxf-c7j4-279c https://github.com/tinacms/tinacms/security/advisories/GHSA-5hxf-c7j4-279c

Benzer Kayıtlar

High

CVE-2026-34603

Tina is a headless content management system. Prior to version 2.2.2, @tinacms/cli recently added lexical path-traversal…

High

CVE-2026-34604

Tina is a headless content management system. Prior to version 2.2.2, @tinacms/graphql uses string-based path containmen…

High

CVE-2026-33949

Tina is a headless content management system. Prior to version 2.2.2, a path traversal vulnerability in @tinacms/graphql…

Critical

CVE-2026-28792

Tina is a headless content management system. Prior to 2.1.8 , the TinaCMS CLI dev server combines a permissive CORS con…

High

CVE-2026-28793

Tina is a headless content management system. Prior to 2.1.8, the TinaCMS CLI development server exposes media endpoints…

Medium

CVE-2026-29066

Tina is a headless content management system. Prior to 2.1.8, the TinaCMS CLI dev server configures Vite with server.fs.…