Cyber Resilience

CVE-2026-28791

HighPublic PoC

Published: 12 March 2026

Published
12 March 2026
Modified
13 March 2026
KEV Added
Patch
CVSS Score v3.1 7.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H
EPSS Score 0.0012 30.6th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-28791 is a high-severity Path Traversal (CWE-22) vulnerability in Ssw Tinacms\/Cli. Its CVSS base score is 7.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 30.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2026-28791 is a path traversal vulnerability (CWE-22) in Tina, a headless content management system. It affects versions prior to 2.1.7, specifically the development server's media upload handler in the media.ts file. The issue stems from using path.join() to combine user-controlled path segments without validating that the resulting path remains within the intended media directory, enabling arbitrary file writes on the filesystem.

The vulnerability has a CVSS score of 7.4 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H), indicating network accessibility, high attack complexity, no privileges or user interaction required, and high impacts on integrity and availability but none on confidentiality. Remote attackers can exploit the development server to upload media files that traverse outside the designated directory, overwriting or creating files in arbitrary filesystem locations.

The GitHub security advisory confirms the vulnerability is fixed in TinaCMS version 2.1.7. Mitigation involves upgrading to 2.1.7 or later. Additional details are available at https://github.com/tinacms/tinacms/security/advisories/GHSA-5hxf-c7j4-279c.

EU & UK References

Vulnerability details

Tina is a headless content management system. Prior to 2.1.7, a path traversal vulnerability exists in the TinaCMS development server's media upload handler. The code at media.ts joins user-controlled path segments using path.join() without validating that the resulting path stays…

more

within the intended media directory. This allows writing files to arbitrary locations on the filesystem. This vulnerability is fixed in 2.1.7.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1485 Data Destruction Impact
Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.
T1565.001 Stored Data Manipulation Impact
Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.
Why these techniques?

Path traversal in network-accessible dev server media handler directly enables remote exploitation of the CMS (T1190); resulting arbitrary file writes/overwrites enable data destruction (T1485) and stored data manipulation (T1565.001) with high integrity/availability impact.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-28793Same product: Ssw Tinacms\/Cli
CVE-2026-34603Same product: Ssw Tinacms\/Cli
CVE-2026-28792Same product: Ssw Tinacms\/Cli
CVE-2026-29066Same product: Ssw Tinacms\/Cli
CVE-2025-68278Same product: Ssw Tinacms\/Cli
CVE-2026-34604Same vendor: Ssw
CVE-2026-33949Same vendor: Ssw
CVE-2025-67963Shared CWE-22
CVE-2026-4351Shared CWE-22
CVE-2026-22448Shared CWE-22

Affected Assets

ssw
tinacms\/cli
≤ 2.1.7

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires validation of user-supplied path segments in the media upload handler to ensure the resolved path remains inside the intended directory, directly blocking the path.join() traversal.

prevent

Enforces that the upload process may only write files within explicitly authorized directories, preventing writes outside the media folder even if traversal input is supplied.

prevent

Limits the privileges of the development server process so that even a successful traversal cannot overwrite arbitrary system files outside its intended scope.

References