Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
4DescriptionGitHub Advisory
TSPortal is the WikiTide Foundation’s in-house platform used by the Trust and Safety team to manage reports, investigations, appeals, and transparency work. Prior to version 34, a flaw in TSPortal allowed attackers to create arbitrary user records in the database by abusing validation logic. While validation correctly rejected invalid usernames, a side effect within a validation rule caused user records to be created regardless of whether the request succeeded. This could be exploited to cause uncontrolled database growth, leading to a potential denial of service (DoS). Version 34 contains a fix for the issue.
AnalysisAI
TSPortal versions prior to 34 contain an uncontrolled resource creation vulnerability that allows authenticated attackers to generate arbitrary user database records through validation logic abuse, resulting in potential denial of service via uncontrolled database growth. The flaw exists in Miraheze's Trust and Safety management platform (cpe:2.3:a:miraheze:tsportal) and requires low-privilege authenticated access to exploit. Vendor-released patch available in version 34; no public exploit identified at time of analysis.
Technical ContextAI
TSPortal is Miraheze's internal Trust and Safety platform responsible for managing reports, investigations, appeals, and transparency operations. The vulnerability stems from CWE-400 (Uncontrolled Resource Consumption), a class describing systems that fail to properly limit resource allocation. The specific implementation flaw occurs in the username validation routine, where a side effect within the validation logic inadvertently creates user database records even when validation fails and the request is rejected. This represents a classic logic error where pre-validation operations (user creation) proceed independent of post-validation success criteria, allowing an attacker with low-privilege authenticated access to systematically exhaust database capacity through repeated malformed username submissions.
RemediationAI
Upgrade TSPortal to version 34 or later immediately to obtain the vendor-released patch addressing the validation logic flaw. For organizations unable to upgrade immediately, implement network-level rate limiting on user account creation endpoints to restrict the speed at which database growth can occur, and monitor database disk utilization for anomalous growth patterns that may indicate active exploitation. Additionally, restrict TSPortal access to authenticated staff accounts only and enforce periodic review of newly created user records to identify and remove fraudulent accounts introduced during the vulnerability window.
Same weakness CWE-400 – Uncontrolled Resource Consumption
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-16398
GHSA-f346-8rp3-4h9h