Skip to main content

Tsportal CVE-2026-33541

| EUVDEUVD-2026-16398 MEDIUM
Uncontrolled Resource Consumption (CWE-400)
2026-03-26 GitHub_M GHSA-f346-8rp3-4h9h
6.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 26, 2026 - 20:31 euvd
EUVD-2026-16398
Analysis Generated
Mar 26, 2026 - 20:31 vuln.today
CVE Published
Mar 26, 2026 - 20:27 nvd
MEDIUM 6.5

DescriptionGitHub Advisory

TSPortal is the WikiTide Foundation’s in-house platform used by the Trust and Safety team to manage reports, investigations, appeals, and transparency work. Prior to version 34, a flaw in TSPortal allowed attackers to create arbitrary user records in the database by abusing validation logic. While validation correctly rejected invalid usernames, a side effect within a validation rule caused user records to be created regardless of whether the request succeeded. This could be exploited to cause uncontrolled database growth, leading to a potential denial of service (DoS). Version 34 contains a fix for the issue.

AnalysisAI

TSPortal versions prior to 34 contain an uncontrolled resource creation vulnerability that allows authenticated attackers to generate arbitrary user database records through validation logic abuse, resulting in potential denial of service via uncontrolled database growth. The flaw exists in Miraheze's Trust and Safety management platform (cpe:2.3:a:miraheze:tsportal) and requires low-privilege authenticated access to exploit. Vendor-released patch available in version 34; no public exploit identified at time of analysis.

Technical ContextAI

TSPortal is Miraheze's internal Trust and Safety platform responsible for managing reports, investigations, appeals, and transparency operations. The vulnerability stems from CWE-400 (Uncontrolled Resource Consumption), a class describing systems that fail to properly limit resource allocation. The specific implementation flaw occurs in the username validation routine, where a side effect within the validation logic inadvertently creates user database records even when validation fails and the request is rejected. This represents a classic logic error where pre-validation operations (user creation) proceed independent of post-validation success criteria, allowing an attacker with low-privilege authenticated access to systematically exhaust database capacity through repeated malformed username submissions.

RemediationAI

Upgrade TSPortal to version 34 or later immediately to obtain the vendor-released patch addressing the validation logic flaw. For organizations unable to upgrade immediately, implement network-level rate limiting on user account creation endpoints to restrict the speed at which database growth can occur, and monitor database disk utilization for anomalous growth patterns that may indicate active exploitation. Additionally, restrict TSPortal access to authenticated staff accounts only and enforce periodic review of newly created user records to identify and remove fraudulent accounts introduced during the vulnerability window.

Share

CVE-2026-33541 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy