CVE-2026-29788

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-29788

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-29788.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-29788

Aliases

GHSA-gfhq-7499-f3f2

Published

2026-03-06T20:31:17.994Z

Modified

2026-04-02T13:23:06.528265Z

Severity

8.4 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:H/SC:N/SI:L/SA:H CVSS Calculator

Summary

TSPortal: Anyone can forge self-deletion requests of any user

Details

TSPortal is the WikiTide Foundation’s in-house platform used by the Trust and Safety team to manage reports, investigations, appeals, and transparency work. Prior to version 30, conversion of empty strings to null allows disguising DPA reports as genuine self-deletion reports. This issue has been patched in version 30.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/29xxx/CVE-2026-29788.json",
    "cwe_ids": [
        "CWE-1287",
        "CWE-283"
    ],
    "cna_assigner": "GitHub_M"
}

References

Affected packages

Git / github.com/miraheze/tsportal

Affected ranges

Type: GIT
Repo: https://github.com/miraheze/tsportal
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

37f162c637e129c111fa513e3f9c60bccf32b6cb

Affected versions

Other

v10

v11

v12

v13

v14

v15

v16

v17

v18

v19

v20

v21

v22

v23

v24

v25

v26

v27

v28

v29

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-29788.json"