Description
Tina is a headless content management system. Prior to 2.1.7, a path traversal vulnerability exists in the TinaCMS development server's media upload handler. The code at media.ts joins user-controlled path segments using path.join() without validating that the resulting path stays within the intended media directory. This allows writing files to arbitrary locations on the filesystem. This vulnerability is fixed in 2.1.7.
Published: 2026-03-12
Score: 7.4 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary File Write
Action: Immediate Patch
AI Analysis

Impact

Path Traversal in the media upload handler of Tina CMS allows an attacker to write files to arbitrary locations on the server’s filesystem. The vulnerability arises because the development server concatenates user-controlled path segments with path.join() without checking that the resolved path remains inside the designated media directory. Writing files outside the intended directory can overwrite critical system files or place malicious scripts, potentially leading to remote code execution or other severe compromise. This weakness corresponds to CWE‑22.

Affected Systems

The vulnerability affects the Tina CMS development server in the tinacms:tinacms product. All releases before version 2.1.7 contain the flaw. No other versions or products are listed as affected.

Risk and Exploitability

The CVSS score of 7.4 indicates high severity. The EPSS score is below 1 %, suggesting that exploitation is currently unlikely, and the issue is not listed in the CISA KEV registry. The likely attack vector is the media upload endpoint exposed by the development server; this inference is based on the description that the flaw exists in the dev server's media upload handler. Because file uploads are part of the normal functionality, an attacker with network access to the server could potentially abuse it, but this would require privileged write access to the server’s filesystem.

Generated by OpenCVE AI on March 18, 2026 at 14:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Tina CMS to version 2.1.7 or later.

Generated by OpenCVE AI on March 18, 2026 at 14:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-5hxf-c7j4-279c Tina: Path Traversal in Media Upload Handle
History

Fri, 13 Mar 2026 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Ssw
Ssw tinacms\/cli
CPEs cpe:2.3:a:ssw:tinacms\/cli:*:*:*:*:*:node.js:*:*
Vendors & Products Ssw
Ssw tinacms\/cli

Fri, 13 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 13 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Tina
Tina tinacms
Vendors & Products Tina
Tina tinacms

Thu, 12 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Description Tina is a headless content management system. Prior to 2.1.7, a path traversal vulnerability exists in the TinaCMS development server's media upload handler. The code at media.ts joins user-controlled path segments using path.join() without validating that the resulting path stays within the intended media directory. This allows writing files to arbitrary locations on the filesystem. This vulnerability is fixed in 2.1.7.
Title Path Traversal in Media Upload Handle in Tina
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 7.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H'}

Subscriptions

Ssw Tinacms\/cli
Tina Tinacms
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-13T16:27:56.642Z

Reserved: 2026-03-03T14:25:19.244Z

Link: CVE-2026-28791

cve-icon Vulnrichment

Updated: 2026-03-13T16:27:45.861Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-12T17:16:50.237

Modified: 2026-03-13T19:55:35.563

Link: CVE-2026-28791

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T15:48:54Z

Weaknesses