TinaCMS Vulnerable to Path Traversal Leading to Arbitrary File Read, Write and Delete

Summary The TinaCMS CLI development server exposes media endpoints that are vulnerable to path traversal, allowing attackers to read and write arbitrary files on the filesystem outside the intended media directory. Details When running tinacms dev, the CLI starts a local HTTP server default port...

Files or Directories Accessible to External Parties

Overview @tinacms/cli is a package used to set up your project with Tina Cloud configuration, and run a local version of the Tina Cloud content-api. Affected versions of this package are vulnerable to Files or Directories Accessible to External Parties via the dev server configuration when...

GHSA-5HXF-C7J4-279C Tina: Path Traversal in Media Upload Handle

Affected Package | Field | Value | |-------|-------| | Package | @tinacms/cli | | Version | 2.0.5 latest at time of discovery | | Vulnerable File | packages/@tinacms/cli/src/next/commands/dev-command/server/media.ts | | Vulnerable Lines | 42-43 | --- Summary A path traversal vulnerability CWE-22...

Directory Traversal

Overview @tinacms/cli is a package used to set up your project with Tina Cloud configuration, and run a local version of the Tina Cloud content-api. Affected versions of this package are vulnerable to Directory Traversal in the development server's media upload handler. An attacker can write or...

CVE-2026-28791

Tina is a headless content management system. Prior to 2.1.7, a path traversal vulnerability exists in the TinaCMS development server's media upload handler. The code at media.ts joins user-controlled path segments using path.join without validating that the resulting path stays within the intend...

CVE-2026-28791 Path Traversal in Media Upload Handle in Tina

Tina is a headless content management system. Prior to 2.1.7, a path traversal vulnerability exists in the TinaCMS development server's media upload handler. The code at media.ts joins user-controlled path segments using path.join without validating that the resulting path stays within the intend...

CVE-2026-28791

Tina is a headless content management system. Prior to 2.1.7, a path traversal vulnerability exists in the TinaCMS development server's media upload handler. The code at media.ts joins user-controlled path segments using path.join without validating that the resulting path stays within the intend...

CVE-2026-28791

CVE-2026-28791 : TinaCMS’s development server media upload handler is vulnerable to path traversal prior to 2.1.7. The code uses path.join() on user-supplied path segments without restricting the resulting path to the media directory, enabling writing files to arbitrary filesystem locations. The ...

CVE-2026-28791 Path Traversal in Media Upload Handle in Tina

Tina is a headless content management system. Prior to 2.1.7, a path traversal vulnerability exists in the TinaCMS development server's media upload handler. The code at media.ts joins user-controlled path segments using path.join without validating that the resulting path stays within the intend...

binary-exploitation

binary-exploitation A collection of binary exploitation...

.NET 10.0 security update

10.0.104-1.0.1 - Add support for Oracle Linux 10.0.104-1 - Update to .NET SDK 10.0.104 and Runtime 10.0.4 - Resolves: RHEL-152949...

.NET 10.0 security update

10.0.104-1.0.1 - Add support for Oracle Linux 10.0.104-1 - Update to .NET SDK 10.0.104 and Runtime 10.0.4 - Resolves: RHEL-152954...

GPAC 安全漏洞

GPAC is an open-source multimedia framework developed by GPAC. The GPAC 26.03-DEV version contains a security vulnerability, which stems from a stack buffer overflow in the txtinprocesstexml function within the TeXML File Parser component...

TinaCMS 路径遍历漏洞

TinaCMS is an open-source headless CMS developed by Tina for Markdown, MDX, and JSON formats. Versions of TinaCMS prior to 2.1.7 had a path traversal vulnerability. This vulnerability stemmed from issues with the media upload processing mechanism used by the TinaCMS development server, allowing f...

PT-2026-25013

Tina is a headless content management system. Prior to 2.1.8, the TinaCMS CLI development server exposes media endpoints that are vulnerable to path traversal, allowing attackers to read and write arbitrary files on the filesystem outside the intended media directory. When running tinacms dev, th...

Highly Autonomous Cyber-Capable Agents: Anticipating Capabilities, Tactics, and Strategic Implications

This report introduces the concept of "Highly Autonomous Cyber-Capable Agents" HACCAs, AI systems capable of autonomously conducting multi-stage cyber campaigns at a level comparable to today's top criminal hacking groups or state-affiliated threat actors, and analyzes the security implications o...

.NET 9.0 security update

9.0.115-1.0.1 - Add support for Oracle Linux 9.0.115-1 - Update to .NET SDK 9.0.115 and Runtime 9.0.14 - Resolves: RHEL-152946...

CVE-2026-2364

If a legitimate user confirms a self-update prompt or initiate an installation of a CODESYS Development System, a low privileged local attacker can gain elevated rights due to a TOCTOU vulnerability in the CODESYS installer...

What Boards Must Demand in the Age of AI-Automated Exploitation

“You knew, and you could have acted. Why didn’t you?” This is the question you do not want to be asked. And increasingly, it’s the question leaders are forced to answer after an incident. For years, many executive teams and boards have treated a large vulnerability backlog as an uncomfortable but...

CVE-2023-27573

netbox-docker before 2.5.0 has a superuser account with default credentials admin password for the admin account, and 0123456789abcdef0123456789abcdef01234567 value for SUPERUSERAPITOKEN. In practice on the public Internet, almost all users changed the password but only about 90% changed the toke...