Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.4
TinaCMS: Malicious File Uploads Can Write to Arbitrary Locations
CVE-2026-28791
GHSA-5hxf-c7j4-279c
Summary
The TinaCMS development server's media upload feature has a vulnerability that allows attackers to upload files to unintended locations on the server, potentially leading to unauthorized access or data corruption. This issue is particularly concerning because it can be exploited via a network attack. To mitigate this risk, update the TinaCMS development server to the latest version or consider implementing additional security measures to validate file uploads.
What to do
- Update tinacms to version 2.1.7.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | tinacms | <= 2.1.7 | 2.1.7 |
| ssw | tinacms\/cli | <= 2.1.7 | – |
Original title
Tina is a headless content management system. Prior to 2.1.7, a path traversal vulnerability exists in the TinaCMS development server's media upload handler. The code at media.ts joins user-control...
Original description
Tina is a headless content management system. Prior to 2.1.7, a path traversal vulnerability exists in the TinaCMS development server's media upload handler. The code at media.ts joins user-controlled path segments using path.join() without validating that the resulting path stays within the intended media directory. This allows writing files to arbitrary locations on the filesystem. This vulnerability is fixed in 2.1.7.
nvd CVSS3.1
7.4
Vulnerability type
CWE-22
Path Traversal
Published: 12 Mar 2026 · Updated: 14 Mar 2026 · First seen: 12 Mar 2026