Cyber Resilience

CVE-2026-28793

HighPublic PoC

Published: 12 March 2026

Published
12 March 2026
Modified
13 March 2026
KEV Added
Patch
CVSS Score v3.1 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0020 10.2th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-28793 is a high-severity Path Traversal (CWE-22) vulnerability in Ssw Tinacms\/Cli. Its CVSS base score is 8.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 10.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-28793 is a path traversal vulnerability (CWE-22) in the TinaCMS CLI development server, part of Tina, a headless content management system. Versions prior to 2.1.8 expose media endpoints such as /media/list/*, /media/upload/*, and /media/* on a local HTTP server (default port 4001) started by the `tinacms dev` command. These endpoints process user-controlled path segments using decodeURI() and path.join() without validating that the resolved path stays within the configured media directory, enabling attackers to read and write arbitrary files on the filesystem outside the intended directory. The vulnerability has a CVSS v3.1 base score of 8.4 (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Attackers can exploit this vulnerability if they have network access to the local development server, such as on the same machine or local network where `tinacms dev` is running. No privileges or user interaction are required, and exploitation involves sending crafted requests to the vulnerable media endpoints with path traversal payloads (e.g., sequences like ../). Successful exploitation allows arbitrary file read and write operations on the host filesystem, potentially leading to full system compromise depending on the server's privileges and the attacker's goals.

The GitHub security advisory (GHSA-2f24-mg4x-534q) confirms the issue and states that it is fixed in TinaCMS version 2.1.8, recommending users upgrade to this or later versions to mitigate the vulnerability. No additional workarounds are specified in the provided details.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Tina is a headless content management system. Prior to 2.1.8, the TinaCMS CLI development server exposes media endpoints that are vulnerable to path traversal, allowing attackers to read and write arbitrary files on the filesystem outside the intended media directory.…

more

When running tinacms dev, the CLI starts a local HTTP server (default port 4001) exposing endpoints such as /media/list/*, /media/upload/*, and /media/*. These endpoints process user-controlled path segments using decodeURI() and path.join() without validating that the resolved path remains within the configured media directory. This vulnerability is fixed in 2.1.8.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
T1105 Ingress Tool Transfer Command And Control
Adversaries may transfer tools or other files from an external system into a compromised environment.
Why these techniques?

Path traversal in local dev server media endpoints directly enables arbitrary file read (T1005 Data from Local System) and file write operations equivalent to ingress of attacker-controlled content (T1105 Ingress Tool Transfer) with no auth required.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-28791Same product: Ssw Tinacms\/Cli
CVE-2026-34603Same product: Ssw Tinacms\/Cli
CVE-2026-28792Same product: Ssw Tinacms\/Cli
CVE-2026-29066Same product: Ssw Tinacms\/Cli
CVE-2025-68278Same product: Ssw Tinacms\/Cli
CVE-2026-33949Same vendor: Ssw
CVE-2026-34604Same vendor: Ssw
CVE-2026-33183Shared CWE-22
CVE-2026-3795Shared CWE-22
CVE-2026-6615Shared CWE-22

Affected Assets

ssw
tinacms\/cli
≤ 2.1.8

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the path traversal vulnerability by identifying, reporting, and applying the fix available in TinaCMS version 2.1.8.

prevent

Implements input validation on user-controlled path segments in media endpoints to ensure resolved paths remain within the configured media directory, preventing traversal attacks.

prevent

Enforces approved access authorizations to restrict read and write operations to only the intended media directory, blocking arbitrary filesystem access.

References