CVE-2026-29788

TSPortal is the WikiTide Foundation’s in-house platform used by the Trust and Safety team to manage reports, investigations, appeals, and transparency work. Prior to version 30, conversion of empty strings to null allows disguising DPA reports as genuine self-deletion reports. This issue has been patched in version 30.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/miraheze/TSPortal/security/advisories/GHSA-gfhq-7499-f3f2	Exploit Vendor Advisory
https://issue-tracker.miraheze.org/T15053	Issue Tracking

Configurations

Configuration 1 (hide)

cpe:2.3:a:wikitide:tsportal:*:*:*:*:*:*:*:*

History

11 Mar 2026, 14:00

Type	Values Removed	Values Added
First Time		Wikitide Wikitide tsportal
Summary		(es) TSPortal es la plataforma interna de la Fundación WikiTide utilizada por el equipo de Confianza y Seguridad para gestionar informes, investigaciones, apelaciones y el trabajo de transparencia. Antes de la versión 30, la conversión de cadenas vacías a nulo permitía disfrazar informes de DPA como informes genuinos de autoeliminación. Este problema ha sido parcheado en la versión 30.
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.5
References	~~() https://github.com/miraheze/TSPortal/security/advisories/GHSA-gfhq-7499-f3f2 -~~	() https://github.com/miraheze/TSPortal/security/advisories/GHSA-gfhq-7499-f3f2 - Exploit, Vendor Advisory
References	~~() https://issue-tracker.miraheze.org/T15053 -~~	() https://issue-tracker.miraheze.org/T15053 - Issue Tracking
CPE		cpe:2.3:a:wikitide:tsportal::::::::

06 Mar 2026, 21:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-06 21:16

Updated : 2026-03-11 14:00

NVD link : CVE-2026-29788

Mitre link : CVE-2026-29788

CVE.ORG link : CVE-2026-29788

JSON object : View

Products Affected

wikitide

tsportal

CWE

CWE-283

Unverified Ownership

CWE-1287

Improper Validation of Specified Type of Input

{"id": "CVE-2026-29788", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.4, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:H/SC:N/SI:L/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "LOW", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-03-06T21:16:15.293", "references": [{"url": "https://github.com/miraheze/TSPortal/security/advisories/GHSA-gfhq-7499-f3f2", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://issue-tracker.miraheze.org/T15053", "tags": ["Issue Tracking"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-283"}, {"lang": "en", "value": "CWE-1287"}]}], "descriptions": [{"lang": "en", "value": "TSPortal is the WikiTide Foundation\u2019s in-house platform used by the Trust and Safety team to manage reports, investigations, appeals, and transparency work. Prior to version 30, conversion of empty strings to null allows disguising DPA reports as genuine self-deletion reports. This issue has been patched in version 30."}, {"lang": "es", "value": "TSPortal es la plataforma interna de la Fundaci\u00f3n WikiTide utilizada por el equipo de Confianza y Seguridad para gestionar informes, investigaciones, apelaciones y el trabajo de transparencia. Antes de la versi\u00f3n 30, la conversi\u00f3n de cadenas vac\u00edas a nulo permit\u00eda disfrazar informes de DPA como informes genuinos de autoeliminaci\u00f3n. Este problema ha sido parcheado en la versi\u00f3n 30."}], "lastModified": "2026-03-11T14:00:44.740", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:wikitide:tsportal:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "35701831-64E1-402F-8314-4D171569C7BC", "versionEndExcluding": "30"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}