{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33541", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-20T18:05:11.832Z", "datePublished": "2026-03-26T20:27:05.840Z", "dateUpdated": "2026-03-27T20:01:35.174Z"}, "containers": {"cna": {"title": "TSPortal's Uncontrolled User Creation via Validation Side Effects Leads to Potential Denial of Service", "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "lang": "en", "description": "CWE-400: Uncontrolled Resource Consumption", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-770", "lang": "en", "description": "CWE-770: Allocation of Resources Without Limits or Throttling", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/miraheze/TSPortal/security/advisories/GHSA-f346-8rp3-4h9h", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/miraheze/TSPortal/security/advisories/GHSA-f346-8rp3-4h9h"}], "affected": [{"vendor": "miraheze", "product": "TSPortal", "versions": [{"version": "< 34", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-26T20:27:05.840Z"}, "descriptions": [{"lang": "en", "value": "TSPortal is the WikiTide Foundation\u2019s in-house platform used by the Trust and Safety team to manage reports, investigations, appeals, and transparency work. Prior to version 34, a flaw in TSPortal allowed attackers to create arbitrary user records in the database by abusing validation logic. While validation correctly rejected invalid usernames, a side effect within a validation rule caused user records to be created regardless of whether the request succeeded. This could be exploited to cause uncontrolled database growth, leading to a potential denial of service (DoS). Version 34 contains a fix for the issue."}], "source": {"advisory": "GHSA-f346-8rp3-4h9h", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-27T19:52:08.746386Z", "id": "CVE-2026-33541", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T20:01:35.174Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33541", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-27T19:52:08.746386Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T19:52:12.106Z"}}], "cna": {"title": "TSPortal's Uncontrolled User Creation via Validation Side Effects Leads to Potential Denial of Service", "source": {"advisory": "GHSA-f346-8rp3-4h9h", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "miraheze", "product": "TSPortal", "versions": [{"status": "affected", "version": "< 34"}]}], "references": [{"url": "https://github.com/miraheze/TSPortal/security/advisories/GHSA-f346-8rp3-4h9h", "name": "https://github.com/miraheze/TSPortal/security/advisories/GHSA-f346-8rp3-4h9h", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "TSPortal is the WikiTide Foundation\u2019s in-house platform used by the Trust and Safety team to manage reports, investigations, appeals, and transparency work. Prior to version 34, a flaw in TSPortal allowed attackers to create arbitrary user records in the database by abusing validation logic. While validation correctly rejected invalid usernames, a side effect within a validation rule caused user records to be created regardless of whether the request succeeded. This could be exploited to cause uncontrolled database growth, leading to a potential denial of service (DoS). Version 34 contains a fix for the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-400", "description": "CWE-400: Uncontrolled Resource Consumption"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-770", "description": "CWE-770: Allocation of Resources Without Limits or Throttling"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-26T20:27:05.840Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33541", "state": "PUBLISHED", "dateUpdated": "2026-03-27T20:01:35.174Z", "dateReserved": "2026-03-20T18:05:11.832Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-26T20:27:05.840Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:wikitide:tsportal:*:*:*:*:*:*:*:*", "matchCriteriaId": "4EB3C2C4-36B0-46DD-8B37-3F93629BAC0C", "versionEndExcluding": "34", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "TSPortal is the WikiTide Foundation\u2019s in-house platform used by the Trust and Safety team to manage reports, investigations, appeals, and transparency work. Prior to version 34, a flaw in TSPortal allowed attackers to create arbitrary user records in the database by abusing validation logic. While validation correctly rejected invalid usernames, a side effect within a validation rule caused user records to be created regardless of whether the request succeeded. This could be exploited to cause uncontrolled database growth, leading to a potential denial of service (DoS). Version 34 contains a fix for the issue."}, {"lang": "es", "value": "TSPortal es la plataforma interna de la Fundaci\u00f3n WikiTide utilizada por el equipo de Confianza y Seguridad para gestionar informes, investigaciones, apelaciones y trabajo de transparencia. Antes de la versi\u00f3n 34, una falla en TSPortal permit\u00eda a los atacantes crear registros de usuario arbitrarios en la base de datos al abusar de la l\u00f3gica de validaci\u00f3n. Si bien la validaci\u00f3n rechazaba correctamente los nombres de usuario no v\u00e1lidos, un efecto secundario dentro de una regla de validaci\u00f3n provocaba que se crearan registros de usuario independientemente de si la solicitud ten\u00eda \u00e9xito. Esto podr\u00eda ser explotado para causar un crecimiento descontrolado de la base de datos, lo que llevar\u00eda a una potencial denegaci\u00f3n de servicio (DoS). La versi\u00f3n 34 contiene una soluci\u00f3n para el problema."}], "id": "CVE-2026-33541", "lastModified": "2026-04-03T20:20:56.697", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-26T21:17:05.867", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/miraheze/TSPortal/security/advisories/GHSA-f346-8rp3-4h9h"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}, {"lang": "en", "value": "CWE-770"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,34)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "TSPortal", "source": "cna", "vendor": "miraheze"}, "product": "tsportal", "vendor": "miraheze"}], "analysis": {"en": {"generated_at": "2026-04-03T23:29:57.105599+00:00", "value": {"mitigation_remediation": ["Apply the TSPortal version\u00a034 or newer patch that fixes the validation side\u2011effect issue.", "If an upgrade cannot be performed immediately, consider temporarily disabling or restricting the user\u2011creation functionality and applying rate limiting to the endpoint.", "Monitor database growth and resource utilization for anomalies that could indicate misuse."], "summary": {"action": "Patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "The vulnerable product is Miraheze TSPortal. Versions earlier than 34 are affected. The fix is included in version\u00a034 and later releases. No other products or vendors are listed.", "description_and_impact": "TSPortal is a platform used by the WikiTide Foundation to handle reports, investigations, appeals, and transparency work. A flaw in validation logic before version\u00a034 allows attackers to create arbitrary user records even when the username validation fails. This side effect causes uncontrolled growth of the user database, which can exhaust storage or other system resources and lead to a denial of service. The issue is identified as CWE\u2011400 (Information Saturation) and CWE\u2011770 (Allocation of Resources Without Limits).", "risk_and_exploitability": "The CVSS score of\u00a06.5 indicates medium severity. An EPSS score of less than\u202f1% implies a low probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog. The description does not specify whether authentication is required, so it cannot be said that any special privileges are needed or that an attacker must have user access. Based on the description, it is inferred that an attacker could trigger the bug by sending crafted requests to the user\u2011creation endpoint, but the exact method or required access is not detailed in the provided information."}}}}, "created": "2026-03-27T08:32:05.229773+00:00", "updated": "2026-04-07T08:08:56.399157+00:00", "vendors": ["miraheze", "miraheze$PRODUCT$tsportal"]}