Description

Tina is a headless content management system. Prior to 2.1.8 , the TinaCMS CLI dev server combines a permissive CORS configuration (Access-Control-Allow-Origin: *) with the path traversal vulnerability (previously reported) to enable a browser-based drive-by attack. A remote attacker can enumerate the filesystem, write arbitrary files, and delete arbitrary files on developer's machines by simply tricking them into visiting a malicious website while tinacms dev is running. This vulnerability is fixed in 2.1.8.

INFO

Published Date :

2026-03-12T16:48:16.461Z

Last Modified :

2026-03-13T16:29:06.236Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-28792 vulnerability.

Vendors Products
Ssw
  • Tinacms\/cli
Tina
  • Tinacms
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-28792.

URL Resource
https://github.com/tinacms/tinacms/security/advisories/GHSA-8pw3-9m7f-q734 cve-icon cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact