Cyber Resilience

CVE-2026-28792

CriticalPublic PoC

Published: 12 March 2026

Published
12 March 2026
Modified
13 March 2026
KEV Added
Patch
CVSS Score v3.1 9.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
EPSS Score 0.0053 40.9th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-28792 is a critical-severity Path Traversal (CWE-22) vulnerability in Ssw Tinacms\/Cli. Its CVSS base score is 9.6 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked at the 40.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-6 (Configuration Settings).

Deeper analysis

CVE-2026-28792 is a high-severity vulnerability (CVSS 9.6, CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H) in the TinaCMS CLI dev server, part of Tina, a headless content management system. Versions prior to 2.1.8 combine a permissive CORS policy (Access-Control-Allow-Origin: *) with a path traversal flaw (CWE-22, CWE-942), enabling cross-origin requests that bypass typical browser security restrictions during local development.

A remote, unauthenticated attacker can exploit this via a drive-by browser attack by tricking a developer into visiting a malicious website while the "tinacms dev" server is running locally. This grants the attacker the ability to enumerate the developer's filesystem, write arbitrary files, and delete arbitrary files, potentially leading to full local compromise.

The GitHub security advisory (GHSA-8pw3-9m7f-q734) confirms the issue is resolved in TinaCMS 2.1.8, which practitioners should apply immediately to affected development environments.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Tina is a headless content management system. Prior to 2.1.8 , the TinaCMS CLI dev server combines a permissive CORS configuration (Access-Control-Allow-Origin: *) with the path traversal vulnerability (previously reported) to enable a browser-based drive-by attack. A remote attacker can…

more

enumerate the filesystem, write arbitrary files, and delete arbitrary files on developer's machines by simply tricking them into visiting a malicious website while tinacms dev is running. This vulnerability is fixed in 2.1.8.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1189 Drive-by Compromise Initial Access
Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.
T1083 File and Directory Discovery Discovery
Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
T1070.004 File Deletion Stealth
Adversaries may delete files left behind by the actions of their intrusion activity.
Why these techniques?

The vulnerability is exploited through a drive-by browser attack tricking users to malicious sites (T1189), enabling filesystem enumeration (T1083), collection of data from the local system via arbitrary reads (T1005), and arbitrary file deletion (T1070.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-28793Same product: Ssw Tinacms\/Cli
CVE-2026-28791Same product: Ssw Tinacms\/Cli
CVE-2026-34603Same product: Ssw Tinacms\/Cli
CVE-2026-29066Same product: Ssw Tinacms\/Cli
CVE-2025-68278Same product: Ssw Tinacms\/Cli
CVE-2026-33949Same vendor: Ssw
CVE-2026-34604Same vendor: Ssw
CVE-2023-52953Shared CWE-22
CVE-2025-9801Shared CWE-22
CVE-2025-68953Shared CWE-22

Affected Assets

ssw
tinacms\/cli
≤ 2.1.8

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the combined permissive CORS and path traversal flaws by applying the vendor fix in TinaCMS 2.1.8.

prevent

Prevents exploitation of the path traversal vulnerability (CWE-22) by validating filesystem path inputs to the dev server.

prevent

Enforces secure configuration settings like restrictive CORS origins to block unauthorized cross-origin requests to the local dev server.

References