Description
TSPortal is the WikiTide Foundation’s in-house platform used by the Trust and Safety team to manage reports, investigations, appeals, and transparency work. Prior to version 34, a flaw in TSPortal allowed attackers to create arbitrary user records in the database by abusing validation logic. While validation correctly rejected invalid usernames, a side effect within a validation rule caused user records to be created regardless of whether the request succeeded. This could be exploited to cause uncontrolled database growth, leading to a potential denial of service (DoS). Version 34 contains a fix for the issue.
Published: 2026-03-26
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch
AI Analysis

Impact

TSPortal is a platform used by the WikiTide Foundation to handle reports, investigations, appeals, and transparency work. A flaw in validation logic before version 34 allows attackers to create arbitrary user records even when the username validation fails. This side effect causes uncontrolled growth of the user database, which can exhaust storage or other system resources and lead to a denial of service. The issue is identified as CWE‑400 (Information Saturation) and CWE‑770 (Allocation of Resources Without Limits).

Affected Systems

The vulnerable product is Miraheze TSPortal. Versions earlier than 34 are affected. The fix is included in version 34 and later releases. No other products or vendors are listed.

Risk and Exploitability

The CVSS score of 6.5 indicates medium severity. An EPSS score of less than 1% implies a low probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog. The description does not specify whether authentication is required, so it cannot be said that any special privileges are needed or that an attacker must have user access. Based on the description, it is inferred that an attacker could trigger the bug by sending crafted requests to the user‑creation endpoint, but the exact method or required access is not detailed in the provided information.

Generated by OpenCVE AI on April 3, 2026 at 23:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the TSPortal version 34 or newer patch that fixes the validation side‑effect issue.
  • If an upgrade cannot be performed immediately, consider temporarily disabling or restricting the user‑creation functionality and applying rate limiting to the endpoint.
  • Monitor database growth and resource utilization for anomalies that could indicate misuse.

Generated by OpenCVE AI on April 3, 2026 at 23:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-f346-8rp3-4h9h TSPortal's Uncontrolled User Creation via Validation Side Effects Leads to Potential Denial of Service
History

Fri, 03 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Wikitide
Wikitide tsportal
CPEs cpe:2.3:a:wikitide:tsportal:*:*:*:*:*:*:*:*
Vendors & Products Wikitide
Wikitide tsportal

Fri, 27 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Miraheze
Miraheze tsportal
Vendors & Products Miraheze
Miraheze tsportal

Thu, 26 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Description TSPortal is the WikiTide Foundation’s in-house platform used by the Trust and Safety team to manage reports, investigations, appeals, and transparency work. Prior to version 34, a flaw in TSPortal allowed attackers to create arbitrary user records in the database by abusing validation logic. While validation correctly rejected invalid usernames, a side effect within a validation rule caused user records to be created regardless of whether the request succeeded. This could be exploited to cause uncontrolled database growth, leading to a potential denial of service (DoS). Version 34 contains a fix for the issue.
Title TSPortal's Uncontrolled User Creation via Validation Side Effects Leads to Potential Denial of Service
Weaknesses CWE-400
CWE-770
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Miraheze Tsportal
Wikitide Tsportal
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-27T20:01:35.174Z

Reserved: 2026-03-20T18:05:11.832Z

Link: CVE-2026-33541

cve-icon Vulnrichment

Updated: 2026-03-27T19:52:12.106Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-26T21:17:05.867

Modified: 2026-04-03T20:20:56.697

Link: CVE-2026-33541

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-07T08:08:56Z

Weaknesses