{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-28792", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-03T14:25:19.245Z", "datePublished": "2026-03-12T16:48:16.461Z", "dateUpdated": "2026-03-13T16:29:06.236Z"}, "containers": {"cna": {"title": "Cross-Origin File Exfiltration via CORS Misconfiguration + Path Traversal in TinaCMS", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-942", "lang": "en", "description": "CWE-942: Permissive Cross-domain Policy with Untrusted Domains", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.7, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/tinacms/tinacms/security/advisories/GHSA-8pw3-9m7f-q734", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/tinacms/tinacms/security/advisories/GHSA-8pw3-9m7f-q734"}], "affected": [{"vendor": "@tinacms", "product": "cli", "versions": [{"version": "< 2.1.8", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-12T16:48:16.461Z"}, "descriptions": [{"lang": "en", "value": "Tina is a headless content management system. Prior to 2.1.8 , the TinaCMS CLI dev server combines a permissive CORS configuration (Access-Control-Allow-Origin: *) with the path traversal vulnerability (previously reported) to enable a browser-based drive-by attack. A remote attacker can enumerate the filesystem, write arbitrary files, and delete arbitrary files on developer's machines by simply tricking them into visiting a malicious website while tinacms dev is running. This vulnerability is fixed in 2.1.8."}], "source": {"advisory": "GHSA-8pw3-9m7f-q734", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/tinacms/tinacms/security/advisories/GHSA-8pw3-9m7f-q734", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-13T16:29:02.569938Z", "id": "CVE-2026-28792", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-13T16:29:06.236Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-28792", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-13T16:29:02.569938Z"}}}], "references": [{"url": "https://github.com/tinacms/tinacms/security/advisories/GHSA-8pw3-9m7f-q734", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-13T16:28:55.395Z"}}], "cna": {"title": "Cross-Origin File Exfiltration via CORS Misconfiguration + Path Traversal in TinaCMS", "source": {"advisory": "GHSA-8pw3-9m7f-q734", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.7, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "@tinacms", "product": "cli", "versions": [{"status": "affected", "version": "< 2.1.8"}]}], "references": [{"url": "https://github.com/tinacms/tinacms/security/advisories/GHSA-8pw3-9m7f-q734", "name": "https://github.com/tinacms/tinacms/security/advisories/GHSA-8pw3-9m7f-q734", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Tina is a headless content management system. Prior to 2.1.8 , the TinaCMS CLI dev server combines a permissive CORS configuration (Access-Control-Allow-Origin: *) with the path traversal vulnerability (previously reported) to enable a browser-based drive-by attack. A remote attacker can enumerate the filesystem, write arbitrary files, and delete arbitrary files on developer's machines by simply tricking them into visiting a malicious website while tinacms dev is running. This vulnerability is fixed in 2.1.8."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-942", "description": "CWE-942: Permissive Cross-domain Policy with Untrusted Domains"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-12T16:48:16.461Z"}}}, "cveMetadata": {"cveId": "CVE-2026-28792", "state": "PUBLISHED", "dateUpdated": "2026-03-13T16:29:06.236Z", "dateReserved": "2026-03-03T14:25:19.245Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-12T16:48:16.461Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ssw:tinacms\\/cli:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "1CE10330-2151-486B-AF99-38DC3D2F8FA0", "versionEndExcluding": "2.1.8", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Tina is a headless content management system. Prior to 2.1.8 , the TinaCMS CLI dev server combines a permissive CORS configuration (Access-Control-Allow-Origin: *) with the path traversal vulnerability (previously reported) to enable a browser-based drive-by attack. A remote attacker can enumerate the filesystem, write arbitrary files, and delete arbitrary files on developer's machines by simply tricking them into visiting a malicious website while tinacms dev is running. This vulnerability is fixed in 2.1.8."}, {"lang": "es", "value": "Tina es un sistema de gesti\u00f3n de contenido sin cabeza. Previo a la 2.1.8, el servidor de desarrollo CLI de TinaCMS combina una configuraci\u00f3n CORS permisiva (Access-Control-Allow-Origin: *) con la vulnerabilidad de salto de ruta (previamente reportada) para permitir un ataque drive-by basado en el navegador. Un atacante remoto puede enumerar el sistema de archivos, escribir archivos arbitrarios y eliminar archivos arbitrarios en las m\u00e1quinas de los desarrolladores simplemente enga\u00f1\u00e1ndolos para que visiten un sitio web malicioso mientras tinacms dev est\u00e1 en ejecuci\u00f3n. Esta vulnerabilidad est\u00e1 corregida en la 2.1.8."}], "id": "CVE-2026-28792", "lastModified": "2026-03-13T19:54:32.090", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.6, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-12T17:16:50.387", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/tinacms/tinacms/security/advisories/GHSA-8pw3-9m7f-q734"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/tinacms/tinacms/security/advisories/GHSA-8pw3-9m7f-q734"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}, {"lang": "en", "value": "CWE-942"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.1.8)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "cli", "source": "cna", "vendor": "@tinacms"}, "product": "tinacms", "vendor": "tina"}], "analysis": {"en": {"generated_at": "2026-03-18T14:58:29.509848+00:00", "value": {"mitigation_remediation": ["Upgrade TinaCMS CLI to version 2.1.8 or later", "If upgrading immediately is not possible, configure the dev server to restrict CORS origins or disable CORS entirely"], "summary": {"action": "Patch Now", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The flaw affects the TinaCMS CLI component from the vendor ssw, version numbers prior to 2.1.8. Any instance of the dev server running before that patch is vulnerable, regardless of the Node.js runtime version.", "description_and_impact": "The vulnerability in the TinaCMS CLI dev server allows an attacker to combine a permissive CORS policy (Access\u2011Control\u2011Allow\u2011Origin: *) with a pre\u2011existing path traversal flaw to enumerate the local filesystem, write arbitrary files, and delete files on a developer\u2019s machine. Key weaknesses include unvalidated file paths (CWE\u201122) and insecure resource handling (CWE\u2011942). The result is that a malicious user could upload and execute code or modify critical configuration files, resulting in full compromise of the developer\u2019s environment.", "risk_and_exploitability": "The CVSS score of 9.7 indicates critical severity, but the EPSS score of less than 1% suggests low exploitation probability at this time, and the vulnerability is not listed in the CISA KEV catalog. However, the attack requires only that a compromised or malicious web page be loaded while the dev server is running, which is a realistic scenario for developers leaving the dev server exposed. The combined permissive CORS and path traversal enable a direct browser\u2011based drive\u2011by attack, making the vulnerability highly exploitable where conditions are met."}}}}, "created": "2026-03-13T09:51:02.475367+00:00", "updated": "2026-03-20T15:48:56.388414+00:00", "vendors": ["tina", "tina$PRODUCT$tinacms"]}