Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.
9.6

TinaCMS CLI Dev Server Allows Hackers to Steal Files

CVE-2026-28792 GHSA-8pw3-9m7f-q734
Summary

The TinaCMS development server can expose files on a developer's computer to hackers if they visit a malicious website while the server is running. This is because the server allows any website to access its files, and a previous vulnerability allows hackers to access protected files. To protect yourself, use a virtual private network (VPN) or a firewall to isolate your development server from the internet when you're not actively using it.

What to do
  • Update tinacms cli to version 2.1.8.
Affected software
VendorProductAffected versionsFix available
tinacms cli <= 2.1.8 2.1.8
ssw tinacms\/cli <= 2.1.8 –
Original title
Tina is a headless content management system. Prior to 2.1.8 , the TinaCMS CLI dev server combines a permissive CORS configuration (Access-Control-Allow-Origin: *) with the path traversal vulnerabi...
Original description
Tina is a headless content management system. Prior to 2.1.8 , the TinaCMS CLI dev server combines a permissive CORS configuration (Access-Control-Allow-Origin: *) with the path traversal vulnerability (previously reported) to enable a browser-based drive-by attack. A remote attacker can enumerate the filesystem, write arbitrary files, and delete arbitrary files on developer's machines by simply tricking them into visiting a malicious website while tinacms dev is running. This vulnerability is fixed in 2.1.8.
nvd CVSS3.1 9.6
Vulnerability type
CWE-22 Path Traversal
CWE-942
Published: 12 Mar 2026 · Updated: 14 Mar 2026 · First seen: 12 Mar 2026