{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-28791", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-03T14:25:19.244Z", "datePublished": "2026-03-12T16:55:47.528Z", "dateUpdated": "2026-03-13T16:27:56.642Z"}, "containers": {"cna": {"title": "Path Traversal in Media Upload Handle in Tina", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/tinacms/tinacms/security/advisories/GHSA-5hxf-c7j4-279c", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/tinacms/tinacms/security/advisories/GHSA-5hxf-c7j4-279c"}], "affected": [{"vendor": "tinacms", "product": "tinacms", "versions": [{"version": "< 2.1.7", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-12T16:55:47.528Z"}, "descriptions": [{"lang": "en", "value": "Tina is a headless content management system. Prior to 2.1.7, a path traversal vulnerability exists in the TinaCMS development server's media upload handler. The code at media.ts joins user-controlled path segments using path.join() without validating that the resulting path stays within the intended media directory. This allows writing files to arbitrary locations on the filesystem. This vulnerability is fixed in 2.1.7."}], "source": {"advisory": "GHSA-5hxf-c7j4-279c", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/tinacms/tinacms/security/advisories/GHSA-5hxf-c7j4-279c", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-13T16:27:52.236019Z", "id": "CVE-2026-28791", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-13T16:27:56.642Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-28791", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-13T16:27:52.236019Z"}}}], "references": [{"url": "https://github.com/tinacms/tinacms/security/advisories/GHSA-5hxf-c7j4-279c", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-13T16:27:45.861Z"}}], "cna": {"title": "Path Traversal in Media Upload Handle in Tina", "source": {"advisory": "GHSA-5hxf-c7j4-279c", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.4, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "tinacms", "product": "tinacms", "versions": [{"status": "affected", "version": "< 2.1.7"}]}], "references": [{"url": "https://github.com/tinacms/tinacms/security/advisories/GHSA-5hxf-c7j4-279c", "name": "https://github.com/tinacms/tinacms/security/advisories/GHSA-5hxf-c7j4-279c", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Tina is a headless content management system. Prior to 2.1.7, a path traversal vulnerability exists in the TinaCMS development server's media upload handler. The code at media.ts joins user-controlled path segments using path.join() without validating that the resulting path stays within the intended media directory. This allows writing files to arbitrary locations on the filesystem. This vulnerability is fixed in 2.1.7."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-12T16:55:47.528Z"}}}, "cveMetadata": {"cveId": "CVE-2026-28791", "state": "PUBLISHED", "dateUpdated": "2026-03-13T16:27:56.642Z", "dateReserved": "2026-03-03T14:25:19.244Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-12T16:55:47.528Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ssw:tinacms\\/cli:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "230CF05A-3446-4C32-9F67-1EF5E63B25B9", "versionEndExcluding": "2.1.7", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Tina is a headless content management system. Prior to 2.1.7, a path traversal vulnerability exists in the TinaCMS development server's media upload handler. The code at media.ts joins user-controlled path segments using path.join() without validating that the resulting path stays within the intended media directory. This allows writing files to arbitrary locations on the filesystem. This vulnerability is fixed in 2.1.7."}, {"lang": "es", "value": "Tina es un sistema de gesti\u00f3n de contenidos sin cabeza. Antes de la 2.1.7, existe una vulnerabilidad de salto de ruta en el gestor de carga de medios del servidor de desarrollo de TinaCMS. El c\u00f3digo en media.ts une segmentos de ruta controlados por el usuario usando path.join() sin validar que la ruta resultante permanezca dentro del directorio de medios previsto. Esto permite escribir archivos en ubicaciones arbitrarias en el sistema de archivos. Esta vulnerabilidad est\u00e1 corregida en la 2.1.7."}], "id": "CVE-2026-28791", "lastModified": "2026-03-13T19:55:35.563", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-12T17:16:50.237", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/tinacms/tinacms/security/advisories/GHSA-5hxf-c7j4-279c"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/tinacms/tinacms/security/advisories/GHSA-5hxf-c7j4-279c"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.1.7)"}}], "enrichment": {"confidence": 89.0, "confidence_source": "matching", "scores": [{"score": 89.0, "source": "matching"}]}, "original": {"product": "tinacms", "source": "cna", "vendor": "tinacms"}, "product": "tinacms", "vendor": "tina"}], "analysis": {"en": {"generated_at": "2026-03-18T14:57:32.474488+00:00", "value": {"mitigation_remediation": ["Upgrade Tina CMS to version 2.1.7 or later."], "summary": {"action": "Immediate Patch", "impact": "Arbitrary File Write"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Tina CMS development server in the tinacms:tinacms product. All releases before version 2.1.7 contain the flaw. No other versions or products are listed as affected.", "description_and_impact": "Path Traversal in the media upload handler of Tina CMS allows an attacker to write files to arbitrary locations on the server\u2019s filesystem. The vulnerability arises because the development server concatenates user-controlled path segments with path.join() without checking that the resolved path remains inside the designated media directory. Writing files outside the intended directory can overwrite critical system files or place malicious scripts, potentially leading to remote code execution or other severe compromise. This weakness corresponds to CWE\u201122.", "risk_and_exploitability": "The CVSS score of 7.4 indicates high severity. The EPSS score is below 1\u202f%, suggesting that exploitation is currently unlikely, and the issue is not listed in the CISA KEV registry. The likely attack vector is the media upload endpoint exposed by the development server; this inference is based on the description that the flaw exists in the dev server's media upload handler. Because file uploads are part of the normal functionality, an attacker with network access to the server could potentially abuse it, but this would require privileged write access to the server\u2019s filesystem."}}}}, "created": "2026-03-13T09:50:59.422046+00:00", "updated": "2026-03-20T15:48:54.601126+00:00", "vendors": ["tina", "tina$PRODUCT$tinacms"]}