Description
TSPortal is the WikiTide Foundation’s in-house platform used by the Trust and Safety team to manage reports, investigations, appeals, and transparency work. Prior to version 30, conversion of empty strings to null allows disguising DPA reports as genuine self-deletion reports. This issue has been patched in version 30.
Published: 2026-03-06
Score: 8.4 High
EPSS: < 1% Very Low
KEV: No
Impact: Unprivileged Account Deletion and Data Loss
Action: Patch
AI Analysis

Impact

A flaw in TSPortal prior to version 30 allows an attacker to forge a self‑deletion request by converting an empty string into a null value. This bypasses the intended separation between Data Privacy Act reports and genuine self‑deletion submissions, letting the attacker delete any user account. The weakness falls under authorized‑access‑bypass via user‑controlled input (CWE‑283) and improper input validation (CWE‑1287). The result is loss of user data and potential denial of service for the affected platform.

Affected Systems

Miraheze's TSPortal platform, versions older than 30, used by the WikiTide Foundation Trust and Safety team.

Risk and Exploitability

The vulnerability carries a CVSS of 8.4, indicating a high severity impact, while the EPSS score is below 1%, implying low current exploitation probability. The vulnerability is not flagged in CISA's KEV catalog. Based on the description, an attacker can exploit the issue by sending forged deletion requests to the platform's API or user interface, potentially without additional authentication. The exploit requires no intricate conditions, making it straightforward for malicious actors who can target any user account.

Generated by OpenCVE AI on April 18, 2026 at 09:49 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade TSPortal to version 30 or later to apply the fix for empty‑string handling.
  • Audit recent deletion logs to identify and remediate any unauthorized account deletions that may have occurred before the patch.
  • If upgrading is not immediately possible, temporarily disable the self‑deletion feature until the patch can be applied.

Generated by OpenCVE AI on April 18, 2026 at 09:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-gfhq-7499-f3f2 TSPortal: Any user can forge self-deletion requests for any account
History

Wed, 11 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Wikitide
Wikitide tsportal
CPEs cpe:2.3:a:wikitide:tsportal:*:*:*:*:*:*:*:*
Vendors & Products Wikitide
Wikitide tsportal
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}

Mon, 09 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 09 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Miraheze
Miraheze tsportal
Vendors & Products Miraheze
Miraheze tsportal

Fri, 06 Mar 2026 21:00:00 +0000

Type Values Removed Values Added
Description TSPortal is the WikiTide Foundation’s in-house platform used by the Trust and Safety team to manage reports, investigations, appeals, and transparency work. Prior to version 30, conversion of empty strings to null allows disguising DPA reports as genuine self-deletion reports. This issue has been patched in version 30.
Title TSPortal: Anyone can forge self-deletion requests of any user
Weaknesses CWE-1287
CWE-283
References
Metrics cvssV4_0

{'score': 8.4, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:H/SC:N/SI:L/SA:H'}

Subscriptions

Miraheze Tsportal
Wikitide Tsportal
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-09T20:54:30.781Z

Reserved: 2026-03-04T16:26:02.899Z

Link: CVE-2026-29788

cve-icon Vulnrichment

Updated: 2026-03-09T20:51:48.380Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-06T21:16:15.293

Modified: 2026-03-11T14:00:44.740

Link: CVE-2026-29788

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T10:00:10Z

Weaknesses