Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.4
TinaCMS Development Server Exposes Sensitive Files to Unauthenticated Access
CVE-2026-28793
GHSA-2f24-mg4x-534q
Summary
An unauthenticated attacker can read, write, or delete sensitive files on your computer by accessing the TinaCMS development server. This is because the server does not properly validate file paths, allowing an attacker to navigate outside the intended media directory. To fix this, update to the latest version of TinaCMS or use a secure development environment.
What to do
- Update tinacms cli to version 2.1.8.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| tinacms | cli | <= 2.1.8 | 2.1.8 |
| ssw | tinacms\/cli | <= 2.1.8 | – |
Original title
Tina is a headless content management system. Prior to 2.1.8, the TinaCMS CLI development server exposes media endpoints that are vulnerable to path traversal, allowing attackers to read and write ...
Original description
Tina is a headless content management system. Prior to 2.1.8, the TinaCMS CLI development server exposes media endpoints that are vulnerable to path traversal, allowing attackers to read and write arbitrary files on the filesystem outside the intended media directory. When running tinacms dev, the CLI starts a local HTTP server (default port 4001) exposing endpoints such as /media/list/*, /media/upload/*, and /media/*. These endpoints process user-controlled path segments using decodeURI() and path.join() without validating that the resolved path remains within the configured media directory. This vulnerability is fixed in 2.1.8.
nvd CVSS3.1
8.4
Vulnerability type
CWE-22
Path Traversal
Published: 12 Mar 2026 · Updated: 14 Mar 2026 · First seen: 12 Mar 2026