CVE-2026-28793

Name of the Vulnerable Software and Affected Versions TinaCMS versions prior to 2.1.8

Description Tina is a headless content management system. The TinaCMS CLI development server, before version 2.1.8, exposes media endpoints susceptible to path traversal. This allows attackers to read, write, and potentially delete arbitrary files on the filesystem outside the intended media directory. The server starts a local HTTP server (default port 4001) exposing endpoints such as '/media/list/', '/media/upload/', and '/media/*'. These endpoints process user-controlled path segments using decodeURI() and path.join() without validating that the resolved path remains within the configured media directory. The vulnerable code snippet uses path.join() to construct file paths without proper validation, allowing attackers to manipulate the path and access files outside the intended directory. Specifically, the fullPath variable, derived from the request URL, is used in conjunction with path.join() to create the saveTo path, which is then used to write files. An attacker can exploit this by crafting a malicious path segment in the URL to traverse the directory structure and access sensitive files. For example, using a path like '/media/upload/../../../../etc/passwd' could allow an attacker to read the contents of the '/etc/passwd' file. The vulnerability can be exploited in cloud IDEs, Docker or VM setups with port forwarding, misconfigured dev environments, and local malware scenarios. An attacker could read arbitrary files, write arbitrary files, delete or overwrite files, and potentially escalate to code execution.

Recommendations Versions prior to 2.1.8 should be updated to version 2.1.8 or later.