CVE-2026-28792

CriticalPublic PoC

Published: 12 March 2026

Published

12 March 2026

Modified

13 March 2026

KEV Added

—

Patch

—

CVSS Score 9.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

EPSS Score 0.0042 62.0th percentile

Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Description

Tina is a headless content management system. Prior to 2.1.8 , the TinaCMS CLI dev server combines a permissive CORS configuration (Access-Control-Allow-Origin: *) with the path traversal vulnerability (previously reported) to enable a browser-based drive-by attack. A remote attacker can…

enumerate the filesystem, write arbitrary files, and delete arbitrary files on developer's machines by simply tricking them into visiting a malicious website while tinacms dev is running. This vulnerability is fixed in 2.1.8.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly remediates the combined permissive CORS and path traversal flaws by applying the vendor fix in TinaCMS 2.1.8.

SI-10 Information Input Validation partial match

prevent

Prevents exploitation of the path traversal vulnerability (CWE-22) by validating filesystem path inputs to the dev server.

CM-6 Configuration Settings partial match

prevent

Enforces secure configuration settings like restrictive CORS origins to block unauthorized cross-origin requests to the local dev server.

Security SummaryAI

CVE-2026-28792 is a high-severity vulnerability (CVSS 9.6, CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H) in the TinaCMS CLI dev server, part of Tina, a headless content management system. Versions prior to 2.1.8 combine a permissive CORS policy (Access-Control-Allow-Origin: *) with a path traversal flaw (CWE-22, CWE-942), enabling cross-origin requests that bypass typical browser security restrictions during local development.

A remote, unauthenticated attacker can exploit this via a drive-by browser attack by tricking a developer into visiting a malicious website while the "tinacms dev" server is running locally. This grants the attacker the ability to enumerate the developer's filesystem, write arbitrary files, and delete arbitrary files, potentially leading to full local compromise.

The GitHub security advisory (GHSA-8pw3-9m7f-q734) confirms the issue is resolved in TinaCMS 2.1.8, which practitioners should apply immediately to affected development environments.

Details

CWE(s): CWE-22 CWE-942

Affected Products

ssw

tinacms\/cli

≤ 2.1.8

MITRE ATT&CK Enterprise TechniquesAI

T1189 Drive-by Compromise Initial Access

Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.

attack.mitre.org →

T1083 File and Directory Discovery Discovery

Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.

attack.mitre.org →

T1005 Data from Local System Collection

Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.

attack.mitre.org →

T1070.004 File Deletion Stealth

Adversaries may delete files left behind by the actions of their intrusion activity.

attack.mitre.org →

Why these techniques?

The vulnerability is exploited through a drive-by browser attack tricking users to malicious sites (T1189), enabling filesystem enumeration (T1083), collection of data from the local system via arbitrary reads (T1005), and arbitrary file deletion (T1070.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/tinacms/tinacms/security/advisories/GHSA-8pw3-9m7f-q734
Exploit, Vendor Advisory · security-advisories@github.com
https://github.com/tinacms/tinacms/security/advisories/GHSA-8pw3-9m7f-q734
Exploit, Vendor Advisory · 134c704f-9b21-4f2e-91b3-4a467353bcc0