CVE-2026-28791

Name of the Vulnerable Software and Affected Versions Tina versions prior to 2.1.7 @tinacms/cli versions prior to 2.0.5

Description Tina is a headless content management system. A path traversal vulnerability exists in the TinaCMS development server's media upload handler. The code at media.ts joins user-controlled path segments using path.join() without validating that the resulting path remains within the intended media directory. This allows writing files to arbitrary locations on the filesystem. The vulnerability is present in the handlePost, handleDelete, handleList, MediaModel.listMedia, and MediaModel.deleteMedia functions. Similar code also exists in the Express version. The vulnerability could potentially lead to remote code execution, denial of service, or information disclosure. The vulnerable code is located in packages/@tinacms/cli/src/next/commands/dev-command/server/media.ts lines 42-43. The path.join() function resolves .. segments in the path, and when the user-supplied path contains traversal sequences, these are resolved relative to the media folder, allowing escape to arbitrary filesystem locations.

Recommendations Versions prior to 2.1.7: Add path validation to ensure the resolved path stays within the media directory. Versions prior to 2.0.5: Add path validation to ensure the resolved path stays within the media directory. Consider creating a validation helper function to ensure consistent path validation across all affected functions and endpoints. Apply the fix to the handleDelete function, handleList function, MediaModel.listMedia method, MediaModel.deleteMedia method, and the Express router in packages/@tinacms/cli/src/server/.