Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:npm/%40tinacms/cli@0.0.0-9fee8af-20260211002929
Typenpm
Namespace@tinacms
Namecli
Version0.0.0-9fee8af-20260211002929
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version2.1.8
Latest_non_vulnerable_version2.1.8
Affected_by_vulnerabilities
0
url VCID-j5k4-p718-17e3
vulnerability_id VCID-j5k4-p718-17e3
summary Tina is a headless content management system. Prior to 2.1.8, the TinaCMS CLI development server exposes media endpoints that are vulnerable to path traversal, allowing attackers to read and write arbitrary files on the filesystem outside the intended media directory. When running tinacms dev, the CLI starts a local HTTP server (default port 4001) exposing endpoints such as /media/list/*, /media/upload/*, and /media/*. These endpoints process user-controlled path segments using decodeURI() and path.join() without validating that the resolved path remains within the configured media directory. This vulnerability is fixed in 2.1.8.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-28793
reference_id
reference_type
scores
0
value 0.00034
scoring_system epss
scoring_elements 0.1044
published_at 2026-06-14T12:55:00Z
1
value 0.00034
scoring_system epss
scoring_elements 0.10412
published_at 2026-06-11T12:55:00Z
2
value 0.00034
scoring_system epss
scoring_elements 0.10466
published_at 2026-06-13T12:55:00Z
3
value 0.00034
scoring_system epss
scoring_elements 0.10464
published_at 2026-06-12T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-28793
1
reference_url https://github.com/tinacms/tinacms
reference_id
reference_type
scores
0
value 8.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/tinacms/tinacms
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-28793
reference_id
reference_type
scores
0
value 8.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-28793
3
reference_url https://github.com/advisories/GHSA-2f24-mg4x-534q
reference_id GHSA-2f24-mg4x-534q
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-2f24-mg4x-534q
4
reference_url https://github.com/tinacms/tinacms/security/advisories/GHSA-2f24-mg4x-534q
reference_id GHSA-2f24-mg4x-534q
reference_type
scores
0
value 8.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-13T16:28:28Z/
url https://github.com/tinacms/tinacms/security/advisories/GHSA-2f24-mg4x-534q
fixed_packages
0
url pkg:npm/%40tinacms/cli@2.1.8
purl pkg:npm/%40tinacms/cli@2.1.8
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/%2540tinacms/cli@2.1.8
aliases CVE-2026-28793, GHSA-2f24-mg4x-534q
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-j5k4-p718-17e3
1
url VCID-tcnd-bb71-z3hg
vulnerability_id VCID-tcnd-bb71-z3hg
summary Tina is a headless content management system. Prior to 2.1.8 , the TinaCMS CLI dev server combines a permissive CORS configuration (Access-Control-Allow-Origin: *) with the path traversal vulnerability (previously reported) to enable a browser-based drive-by attack. A remote attacker can enumerate the filesystem, write arbitrary files, and delete arbitrary files on developer's machines by simply tricking them into visiting a malicious website while tinacms dev is running. This vulnerability is fixed in 2.1.8.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-28792
reference_id
reference_type
scores
0
value 0.00484
scoring_system epss
scoring_elements 0.65841
published_at 2026-06-14T12:55:00Z
1
value 0.00484
scoring_system epss
scoring_elements 0.65734
published_at 2026-06-11T12:55:00Z
2
value 0.00484
scoring_system epss
scoring_elements 0.65845
published_at 2026-06-13T12:55:00Z
3
value 0.00484
scoring_system epss
scoring_elements 0.65831
published_at 2026-06-12T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-28792
1
reference_url https://github.com/tinacms/tinacms
reference_id
reference_type
scores
0
value 9.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/tinacms/tinacms
2
reference_url https://github.com/tinacms/tinacms/commit/56d533e610a520ba66b3e58f3a0dc03487d5d5d7
reference_id
reference_type
scores
0
value 9.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/tinacms/tinacms/commit/56d533e610a520ba66b3e58f3a0dc03487d5d5d7
3
reference_url https://github.com/tinacms/tinacms/pull/6450
reference_id
reference_type
scores
0
value 9.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/tinacms/tinacms/pull/6450
4
reference_url https://github.com/tinacms/tinacms/releases/tag/%40tinacms%2Fcli%402.1.8
reference_id
reference_type
scores
0
value 9.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/tinacms/tinacms/releases/tag/%40tinacms%2Fcli%402.1.8
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-28792
reference_id
reference_type
scores
0
value 9.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-28792
6
reference_url https://github.com/advisories/GHSA-8pw3-9m7f-q734
reference_id GHSA-8pw3-9m7f-q734
reference_type
scores
0
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-8pw3-9m7f-q734
7
reference_url https://github.com/tinacms/tinacms/security/advisories/GHSA-8pw3-9m7f-q734
reference_id GHSA-8pw3-9m7f-q734
reference_type
scores
0
value 9.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
1
value 9.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
2
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
3
value CRITICAL
scoring_system generic_textual
scoring_elements
4
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-13T16:29:02Z/
url https://github.com/tinacms/tinacms/security/advisories/GHSA-8pw3-9m7f-q734
fixed_packages
0
url pkg:npm/%40tinacms/cli@2.1.8
purl pkg:npm/%40tinacms/cli@2.1.8
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/%2540tinacms/cli@2.1.8
aliases CVE-2026-28792, GHSA-8pw3-9m7f-q734
risk_score 4.5
exploitability 0.5
weighted_severity 9.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-tcnd-bb71-z3hg
2
url VCID-x7w5-kvqc-s7hw
vulnerability_id VCID-x7w5-kvqc-s7hw
summary Tina is a headless content management system. Prior to 2.1.8, the TinaCMS CLI dev server configures Vite with server.fs.strict: false, which disables Vite's built-in filesystem access restriction. This allows any unauthenticated attacker who can reach the dev server to read arbitrary files on the host system. This vulnerability is fixed in 2.1.8.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-29066
reference_id
reference_type
scores
0
value 0.06479
scoring_system epss
scoring_elements 0.91331
published_at 2026-06-14T12:55:00Z
1
value 0.06479
scoring_system epss
scoring_elements 0.91295
published_at 2026-06-11T12:55:00Z
2
value 0.06479
scoring_system epss
scoring_elements 0.91333
published_at 2026-06-13T12:55:00Z
3
value 0.06479
scoring_system epss
scoring_elements 0.91326
published_at 2026-06-12T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-29066
1
reference_url https://github.com/tinacms/tinacms
reference_id
reference_type
scores
0
value 6.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/tinacms/tinacms
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-29066
reference_id
reference_type
scores
0
value 6.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-29066
3
reference_url https://github.com/advisories/GHSA-m48g-4wr2-j2h6
reference_id GHSA-m48g-4wr2-j2h6
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-m48g-4wr2-j2h6
4
reference_url https://github.com/tinacms/tinacms/security/advisories/GHSA-m48g-4wr2-j2h6
reference_id GHSA-m48g-4wr2-j2h6
reference_type
scores
0
value 6.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-13T16:27:18Z/
url https://github.com/tinacms/tinacms/security/advisories/GHSA-m48g-4wr2-j2h6
fixed_packages
0
url pkg:npm/%40tinacms/cli@2.1.8
purl pkg:npm/%40tinacms/cli@2.1.8
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/%2540tinacms/cli@2.1.8
aliases CVE-2026-29066, GHSA-m48g-4wr2-j2h6
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-x7w5-kvqc-s7hw
Fixing_vulnerabilities
Risk_score4.5
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:npm/%2540tinacms/cli@0.0.0-9fee8af-20260211002929