CVE-2026-28791
Published: 12 March 2026
Summary
CVE-2026-28791 is a high-severity Path Traversal (CWE-22) vulnerability in Ssw Tinacms\/Cli. Its CVSS base score is 7.4 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 30.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-3 (Access Enforcement).
Deeper analysis
CVE-2026-28791 is a path traversal vulnerability (CWE-22) in Tina, a headless content management system. It affects versions prior to 2.1.7, specifically the development server's media upload handler in the media.ts file. The issue stems from using path.join() to combine user-controlled path segments without validating that the resulting path remains within the intended media directory, enabling arbitrary file writes on the filesystem.
The vulnerability has a CVSS score of 7.4 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H), indicating network accessibility, high attack complexity, no privileges or user interaction required, and high impacts on integrity and availability but none on confidentiality. Remote attackers can exploit the development server to upload media files that traverse outside the designated directory, overwriting or creating files in arbitrary filesystem locations.
The GitHub security advisory confirms the vulnerability is fixed in TinaCMS version 2.1.7. Mitigation involves upgrading to 2.1.7 or later. Additional details are available at https://github.com/tinacms/tinacms/security/advisories/GHSA-5hxf-c7j4-279c.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-11609
Vulnerability details
Tina is a headless content management system. Prior to 2.1.7, a path traversal vulnerability exists in the TinaCMS development server's media upload handler. The code at media.ts joins user-controlled path segments using path.join() without validating that the resulting path stays…
more
within the intended media directory. This allows writing files to arbitrary locations on the filesystem. This vulnerability is fixed in 2.1.7.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal in network-accessible dev server media handler directly enables remote exploitation of the CMS (T1190); resulting arbitrary file writes/overwrites enable data destruction (T1485) and stored data manipulation (T1565.001) with high integrity/availability impact.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires validation of user-supplied path segments in the media upload handler to ensure the resolved path remains inside the intended directory, directly blocking the path.join() traversal.
Enforces that the upload process may only write files within explicitly authorized directories, preventing writes outside the media folder even if traversal input is supplied.
Limits the privileges of the development server process so that even a successful traversal cannot overwrite arbitrary system files outside its intended scope.