Home / Vulnerability Intelligence / CVE-2026-28792

CVE-2026-28792 - Vulnerability Analysis

CriticalCVSS: 9.6

Last Updated: March 13, 2026

TinaCMS - Path Traversal

Published: March 12, 2026Updated: March 13, 2026PoC AvailableRemote Exploitable

Overview

TinaCMS CLI dev server < 2.1.8 contains a path traversal combined with permissive CORS configuration, letting remote attackers enumerate, write, and delete arbitrary files on developer machines via browser drive-by attack, exploit requires developer running tinacms dev and visiting malicious website.

Severity & Score

Severity: Critical

CVSS Score: 9.6

EPSS Score: 27.2%(Probability of exploitation in next 30 days)

Impact

Remote attackers can enumerate, write, and delete arbitrary files on developer machines, leading to full system compromise.

Mitigation

Update to version 2.1.8 or later.

References

https://github.com/tinacms/tinacms/security/advisories/GHSA-8pw3-9m7f-q734

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Mar 12, 2026

🔴 CVE-2026-28792 - Critical (9.6) Tina is a headless content management system. Prior to 2.1.8 , the TinaCMS CLI dev server combines a permissive CORS configuration (Access-Control-Allow-Origin: *) with the path traversal vulnerability (previously reported) to enable a browser-bas... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-28792/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-28792
Severity: Critical
CVSS Score: 9.6
Type: path_traversal
Status: modified
EPSS: 27.2%
Social Posts: 1

CWE

CWE-22

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

EPSS Score

27.2%Probability of exploitation in the next 30 days