CVE-2026-33541

TSPortal is the WikiTide Foundation’s in-house platform used by the Trust and Safety team to manage reports, investigations, appeals, and transparency work. Prior to version 34, a flaw in TSPortal allowed attackers to create arbitrary user records in the database by abusing validation logic. While validation correctly rejected invalid usernames, a side effect within a validation rule caused user records to be created regardless of whether the request succeeded. This could be exploited to cause uncontrolled database growth, leading to a potential denial of service (DoS). Version 34 contains a fix for the issue.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/miraheze/TSPortal/security/advisories/GHSA-f346-8rp3-4h9h

Configurations

No configuration.

History

No history.

Information

Published : 2026-03-26 21:17

Updated : 2026-03-30 13:26

NVD link : CVE-2026-33541

Mitre link : CVE-2026-33541

CVE.ORG link : CVE-2026-33541

JSON object : View

Products Affected

No product.

CWE

CWE-400

Uncontrolled Resource Consumption

CWE-770

Allocation of Resources Without Limits or Throttling

{"id": "CVE-2026-33541", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "published": "2026-03-26T21:17:05.867", "references": [{"url": "https://github.com/miraheze/TSPortal/security/advisories/GHSA-f346-8rp3-4h9h", "source": "security-advisories@github.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-400"}, {"lang": "en", "value": "CWE-770"}]}], "descriptions": [{"lang": "en", "value": "TSPortal is the WikiTide Foundation\u2019s in-house platform used by the Trust and Safety team to manage reports, investigations, appeals, and transparency work. Prior to version 34, a flaw in TSPortal allowed attackers to create arbitrary user records in the database by abusing validation logic. While validation correctly rejected invalid usernames, a side effect within a validation rule caused user records to be created regardless of whether the request succeeded. This could be exploited to cause uncontrolled database growth, leading to a potential denial of service (DoS). Version 34 contains a fix for the issue."}, {"lang": "es", "value": "TSPortal es la plataforma interna de la Fundaci\u00f3n WikiTide utilizada por el equipo de Confianza y Seguridad para gestionar informes, investigaciones, apelaciones y trabajo de transparencia. Antes de la versi\u00f3n 34, una falla en TSPortal permit\u00eda a los atacantes crear registros de usuario arbitrarios en la base de datos al abusar de la l\u00f3gica de validaci\u00f3n. Si bien la validaci\u00f3n rechazaba correctamente los nombres de usuario no v\u00e1lidos, un efecto secundario dentro de una regla de validaci\u00f3n provocaba que se crearan registros de usuario independientemente de si la solicitud ten\u00eda \u00e9xito. Esto podr\u00eda ser explotado para causar un crecimiento descontrolado de la base de datos, lo que llevar\u00eda a una potencial denegaci\u00f3n de servicio (DoS). La versi\u00f3n 34 contiene una soluci\u00f3n para el problema."}], "lastModified": "2026-03-30T13:26:50.827", "sourceIdentifier": "security-advisories@github.com"}