CVE-2026-28792

Name of the Vulnerable Software and Affected Versions TinaCMS versions prior to 2.1.8

Description TinaCMS, a headless content management system, has an issue where the CLI dev server combines a permissive CORS configuration (Access-Control-Allow-Origin: *) with a path traversal vulnerability. This combination enables a browser-based drive-by attack. A remote attacker can enumerate the filesystem, write arbitrary files, and delete arbitrary files on developer machines by tricking them into visiting a malicious website while the TinaCMS dev server is running. The attack flow involves the developer running tinacms dev, then unknowingly visiting an attacker-controlled page. The attacker's JavaScript exploits the CORS misconfiguration and path traversal to read sensitive files, which are then exfiltrated to the attacker's server. The vulnerable component is the TinaCMS dev server, specifically the CORS configuration and the path traversal functionality. The API endpoint /media/upload/ is susceptible to path traversal, allowing attackers to write arbitrary files. The API endpoint /media/ allows for file deletion via the DELETE method, also vulnerable to path traversal. The /media/list/ endpoint allows for filesystem enumeration.

Recommendations Update to TinaCMS version 2.1.8 or later.