CVE-2026-28791

HighPublic PoC

Published: 12 March 2026

Published

12 March 2026

Modified

13 March 2026

KEV Added

—

Patch

—

CVSS Score 7.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H

EPSS Score 0.0011 29.7th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-28791 is a high-severity Path Traversal (CWE-22) vulnerability in Ssw Tinacms\/Cli. Its CVSS base score is 7.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 29.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 2 other techniques.

Threat & Defense Details

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

SI-10 Information Input Validation

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1485 Data Destruction Impact

Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.

attack.mitre.org →

T1565.001 Stored Data Manipulation Impact

Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.

attack.mitre.org →

Why these techniques?

Path traversal in network-accessible dev server media handler directly enables remote exploitation of the CMS (T1190); resulting arbitrary file writes/overwrites enable data destruction (T1485) and stored data manipulation (T1565.001) with high integrity/availability impact.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

Tina is a headless content management system. Prior to 2.1.7, a path traversal vulnerability exists in the TinaCMS development server's media upload handler. The code at media.ts joins user-controlled path segments using path.join() without validating that the resulting path stays…

within the intended media directory. This allows writing files to arbitrary locations on the filesystem. This vulnerability is fixed in 2.1.7.

Deeper analysisAI

CVE-2026-28791 is a path traversal vulnerability (CWE-22) in Tina, a headless content management system. It affects versions prior to 2.1.7, specifically the development server's media upload handler in the media.ts file. The issue stems from using path.join() to combine user-controlled path segments without validating that the resulting path remains within the intended media directory, enabling arbitrary file writes on the filesystem.

The vulnerability has a CVSS score of 7.4 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H), indicating network accessibility, high attack complexity, no privileges or user interaction required, and high impacts on integrity and availability but none on confidentiality. Remote attackers can exploit the development server to upload media files that traverse outside the designated directory, overwriting or creating files in arbitrary filesystem locations.

The GitHub security advisory confirms the vulnerability is fixed in TinaCMS version 2.1.7. Mitigation involves upgrading to 2.1.7 or later. Additional details are available at https://github.com/tinacms/tinacms/security/advisories/GHSA-5hxf-c7j4-279c.