CVE-2026-28792
Cross-Origin File Exfiltration via CORS Misconfiguration + Path Traversal in TinaCMS
CVSS Score
9.7
EPSS Score
0.0%
EPSS Percentile
0th
Tina is a headless content management system. Prior to 2.1.8 , the TinaCMS CLI dev server combines a permissive CORS configuration (Access-Control-Allow-Origin: *) with the path traversal vulnerability (previously reported) to enable a browser-based drive-by attack. A remote attacker can enumerate the filesystem, write arbitrary files, and delete arbitrary files on developer's machines by simply tricking them into visiting a malicious website while tinacms dev is running. This vulnerability is fixed in 2.1.8.
| CWE | CWE-22 CWE-942 |
| Vendor | @tinacms |
| Product | cli |
| Published | Mar 12, 2026 |
| Last Updated | Mar 13, 2026 |
Stay Ahead of the Next One
Get instant alerts for @tinacms cli
Be the first to know when new critical vulnerabilities affecting @tinacms cli are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High
Affected Versions
@tinacms / cli
< 2.1.8