Search criteria
ⓘ
Use full-text search for keyword queries.
Combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by dates instead of relevance.
4 vulnerabilities found for TSPortal by miraheze
CVE-2026-33541 (GCVE-0-2026-33541)
Vulnerability from nvd – Published: 2026-03-26 20:27 – Updated: 2026-03-26 20:27
VLAI?
Title
TSPortal's Uncontrolled User Creation via Validation Side Effects Leads to Potential Denial of Service
Summary
TSPortal is the WikiTide Foundation’s in-house platform used by the Trust and Safety team to manage reports, investigations, appeals, and transparency work. Prior to version 34, a flaw in TSPortal allowed attackers to create arbitrary user records in the database by abusing validation logic. While validation correctly rejected invalid usernames, a side effect within a validation rule caused user records to be created regardless of whether the request succeeded. This could be exploited to cause uncontrolled database growth, leading to a potential denial of service (DoS). Version 34 contains a fix for the issue.
Severity ?
6.5 (Medium)
CWE
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"cna": {
"affected": [
{
"product": "TSPortal",
"vendor": "miraheze",
"versions": [
{
"status": "affected",
"version": "\u003c 34"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "TSPortal is the WikiTide Foundation\u2019s in-house platform used by the Trust and Safety team to manage reports, investigations, appeals, and transparency work. Prior to version 34, a flaw in TSPortal allowed attackers to create arbitrary user records in the database by abusing validation logic. While validation correctly rejected invalid usernames, a side effect within a validation rule caused user records to be created regardless of whether the request succeeded. This could be exploited to cause uncontrolled database growth, leading to a potential denial of service (DoS). Version 34 contains a fix for the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770: Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-26T20:27:05.840Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/miraheze/TSPortal/security/advisories/GHSA-f346-8rp3-4h9h",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/miraheze/TSPortal/security/advisories/GHSA-f346-8rp3-4h9h"
}
],
"source": {
"advisory": "GHSA-f346-8rp3-4h9h",
"discovery": "UNKNOWN"
},
"title": "TSPortal\u0027s Uncontrolled User Creation via Validation Side Effects Leads to Potential Denial of Service"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-33541",
"datePublished": "2026-03-26T20:27:05.840Z",
"dateReserved": "2026-03-20T18:05:11.832Z",
"dateUpdated": "2026-03-26T20:27:05.840Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-29788 (GCVE-0-2026-29788)
Vulnerability from nvd – Published: 2026-03-06 20:31 – Updated: 2026-03-09 20:54
VLAI?
Title
TSPortal: Anyone can forge self-deletion requests of any user
Summary
TSPortal is the WikiTide Foundation’s in-house platform used by the Trust and Safety team to manage reports, investigations, appeals, and transparency work. Prior to version 30, conversion of empty strings to null allows disguising DPA reports as genuine self-deletion reports. This issue has been patched in version 30.
Severity ?
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-29788",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-09T20:51:17.114554Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-09T20:54:30.781Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "TSPortal",
"vendor": "miraheze",
"versions": [
{
"status": "affected",
"version": "\u003c 30"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "TSPortal is the WikiTide Foundation\u2019s in-house platform used by the Trust and Safety team to manage reports, investigations, appeals, and transparency work. Prior to version 30, conversion of empty strings to null allows disguising DPA reports as genuine self-deletion reports. This issue has been patched in version 30."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:H/SC:N/SI:L/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-283",
"description": "CWE-283: Unverified Ownership",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-1287",
"description": "CWE-1287: Improper Validation of Specified Type of Input",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-06T20:31:17.994Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/miraheze/TSPortal/security/advisories/GHSA-gfhq-7499-f3f2",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/miraheze/TSPortal/security/advisories/GHSA-gfhq-7499-f3f2"
},
{
"name": "https://issue-tracker.miraheze.org/T15053",
"tags": [
"x_refsource_MISC"
],
"url": "https://issue-tracker.miraheze.org/T15053"
}
],
"source": {
"advisory": "GHSA-gfhq-7499-f3f2",
"discovery": "UNKNOWN"
},
"title": "TSPortal: Anyone can forge self-deletion requests of any user"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-29788",
"datePublished": "2026-03-06T20:31:17.994Z",
"dateReserved": "2026-03-04T16:26:02.899Z",
"dateUpdated": "2026-03-09T20:54:30.781Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-33541 (GCVE-0-2026-33541)
Vulnerability from cvelistv5 – Published: 2026-03-26 20:27 – Updated: 2026-03-26 20:27
VLAI?
Title
TSPortal's Uncontrolled User Creation via Validation Side Effects Leads to Potential Denial of Service
Summary
TSPortal is the WikiTide Foundation’s in-house platform used by the Trust and Safety team to manage reports, investigations, appeals, and transparency work. Prior to version 34, a flaw in TSPortal allowed attackers to create arbitrary user records in the database by abusing validation logic. While validation correctly rejected invalid usernames, a side effect within a validation rule caused user records to be created regardless of whether the request succeeded. This could be exploited to cause uncontrolled database growth, leading to a potential denial of service (DoS). Version 34 contains a fix for the issue.
Severity ?
6.5 (Medium)
CWE
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"cna": {
"affected": [
{
"product": "TSPortal",
"vendor": "miraheze",
"versions": [
{
"status": "affected",
"version": "\u003c 34"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "TSPortal is the WikiTide Foundation\u2019s in-house platform used by the Trust and Safety team to manage reports, investigations, appeals, and transparency work. Prior to version 34, a flaw in TSPortal allowed attackers to create arbitrary user records in the database by abusing validation logic. While validation correctly rejected invalid usernames, a side effect within a validation rule caused user records to be created regardless of whether the request succeeded. This could be exploited to cause uncontrolled database growth, leading to a potential denial of service (DoS). Version 34 contains a fix for the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770: Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-26T20:27:05.840Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/miraheze/TSPortal/security/advisories/GHSA-f346-8rp3-4h9h",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/miraheze/TSPortal/security/advisories/GHSA-f346-8rp3-4h9h"
}
],
"source": {
"advisory": "GHSA-f346-8rp3-4h9h",
"discovery": "UNKNOWN"
},
"title": "TSPortal\u0027s Uncontrolled User Creation via Validation Side Effects Leads to Potential Denial of Service"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-33541",
"datePublished": "2026-03-26T20:27:05.840Z",
"dateReserved": "2026-03-20T18:05:11.832Z",
"dateUpdated": "2026-03-26T20:27:05.840Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-29788 (GCVE-0-2026-29788)
Vulnerability from cvelistv5 – Published: 2026-03-06 20:31 – Updated: 2026-03-09 20:54
VLAI?
Title
TSPortal: Anyone can forge self-deletion requests of any user
Summary
TSPortal is the WikiTide Foundation’s in-house platform used by the Trust and Safety team to manage reports, investigations, appeals, and transparency work. Prior to version 30, conversion of empty strings to null allows disguising DPA reports as genuine self-deletion reports. This issue has been patched in version 30.
Severity ?
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-29788",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-09T20:51:17.114554Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-09T20:54:30.781Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "TSPortal",
"vendor": "miraheze",
"versions": [
{
"status": "affected",
"version": "\u003c 30"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "TSPortal is the WikiTide Foundation\u2019s in-house platform used by the Trust and Safety team to manage reports, investigations, appeals, and transparency work. Prior to version 30, conversion of empty strings to null allows disguising DPA reports as genuine self-deletion reports. This issue has been patched in version 30."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:H/SC:N/SI:L/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-283",
"description": "CWE-283: Unverified Ownership",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-1287",
"description": "CWE-1287: Improper Validation of Specified Type of Input",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-06T20:31:17.994Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/miraheze/TSPortal/security/advisories/GHSA-gfhq-7499-f3f2",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/miraheze/TSPortal/security/advisories/GHSA-gfhq-7499-f3f2"
},
{
"name": "https://issue-tracker.miraheze.org/T15053",
"tags": [
"x_refsource_MISC"
],
"url": "https://issue-tracker.miraheze.org/T15053"
}
],
"source": {
"advisory": "GHSA-gfhq-7499-f3f2",
"discovery": "UNKNOWN"
},
"title": "TSPortal: Anyone can forge self-deletion requests of any user"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-29788",
"datePublished": "2026-03-06T20:31:17.994Z",
"dateReserved": "2026-03-04T16:26:02.899Z",
"dateUpdated": "2026-03-09T20:54:30.781Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}