Description
TSPortal is the WikiTide Foundation’s in-house platform used by the Trust and Safety team to manage reports, investigations, appeals, and transparency work. Prior to version 34, a flaw in TSPortal allowed attackers to create arbitrary user records in the database by abusing validation logic. While validation correctly rejected invalid usernames, a side effect within a validation rule caused user records to be created regardless of whether the request succeeded. This could be exploited to cause uncontrolled database growth, leading to a potential denial of service (DoS). Version 34 contains a fix for the issue.
Published: 2026-03-26
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: Denial of Service via uncontrolled user creation
Action: Patch
AI Analysis

Impact

A flaw in TSPortal’s validation logic lets attackers trigger a side effect that creates user records in the database even when a username fails validation. The rule that accepts invalid usernames and its side effect results in uncontrolled database growth, which is a classic denial of service scenario. The weakness corresponds to CWE‑400, Denial of Service, and CWE‑770, Uncontrolled Resource Consumption.

Affected Systems

The vulnerability affects TSPortal deployments that use versions prior to 34. The application is run by the WikiTide Foundation’s Trust and Safety team to handle reports, appeals, and transparency work. The issue was fixed in version 34.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate severity. EPSS is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting it is not a known exploited vulnerability yet. An attacker can likely exploit the flaw from an unauthenticated request; no special privileges are required, and the side effect will occur regardless of the request outcome, making the attack path straightforward.

Generated by OpenCVE AI on March 26, 2026 at 22:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to TSPortal 34 or newer

Generated by OpenCVE AI on March 26, 2026 at 22:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Miraheze
Miraheze tsportal
Vendors & Products Miraheze
Miraheze tsportal

Thu, 26 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Description TSPortal is the WikiTide Foundation’s in-house platform used by the Trust and Safety team to manage reports, investigations, appeals, and transparency work. Prior to version 34, a flaw in TSPortal allowed attackers to create arbitrary user records in the database by abusing validation logic. While validation correctly rejected invalid usernames, a side effect within a validation rule caused user records to be created regardless of whether the request succeeded. This could be exploited to cause uncontrolled database growth, leading to a potential denial of service (DoS). Version 34 contains a fix for the issue.
Title TSPortal's Uncontrolled User Creation via Validation Side Effects Leads to Potential Denial of Service
Weaknesses CWE-400
CWE-770
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Miraheze Tsportal
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-26T20:27:05.840Z

Reserved: 2026-03-20T18:05:11.832Z

Link: CVE-2026-33541

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-03-26T21:17:05.867

Modified: 2026-03-26T21:17:05.867

Link: CVE-2026-33541

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:23:33Z

Weaknesses