CVE-2026-33541

Source
https://cve.org/CVERecord?id=CVE-2026-33541
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33541.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-33541
Aliases
Published
2026-03-26T20:27:05.840Z
Modified
2026-04-02T13:27:53.499240Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
TSPortal's Uncontrolled User Creation via Validation Side Effects Leads to Potential Denial of Service
Details

TSPortal is the WikiTide Foundation’s in-house platform used by the Trust and Safety team to manage reports, investigations, appeals, and transparency work. Prior to version 34, a flaw in TSPortal allowed attackers to create arbitrary user records in the database by abusing validation logic. While validation correctly rejected invalid usernames, a side effect within a validation rule caused user records to be created regardless of whether the request succeeded. This could be exploited to cause uncontrolled database growth, leading to a potential denial of service (DoS). Version 34 contains a fix for the issue.

Database specific
{
    "cwe_ids": [
        "CWE-400",
        "CWE-770"
    ],
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33541.json"
}
References

Affected packages

Git / github.com/miraheze/tsportal

Affected ranges

Type
GIT
Repo
https://github.com/miraheze/tsportal
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "34"
        }
    ]
}

Affected versions

Other
v1
v10
v11
v12
v13
v14
v15
v16
v17
v18
v19
v2
v20
v21
v22
v23
v24
v25
v26
v27
v28
v29
v3
v30
v31
v32
v33
v4
v5
v6
v7
v8
v9

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33541.json"