CVE-2026-29788
Published: 06 March 2026
Summary
CVE-2026-29788 is a high-severity Unverified Ownership (CWE-283) vulnerability in Wikitide Tsportal. Its CVSS base score is 8.4 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 17.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-29788 is a vulnerability in TSPortal, the WikiTide Foundation’s in-house platform used by the Trust and Safety team to manage reports, investigations, appeals, and transparency work. Prior to version 30, the platform's conversion of empty strings to null enables attackers to disguise DPA reports as genuine self-deletion reports. Published on 2026-03-06, the issue carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) and maps to CWE-283 and CWE-1287.
Unauthenticated attackers can exploit this vulnerability over the network with low attack complexity and no user interaction. By submitting specially crafted reports that exploit the string-to-null conversion, they can misrepresent DPA reports as self-deletion reports, achieving high integrity impact through manipulation of report processing and potentially misleading Trust and Safety workflows.
The vulnerability has been patched in TSPortal version 30. Advisories recommend upgrading to this version or later. Further details are provided in the GitHub security advisory at https://github.com/miraheze/TSPortal/security/advisories/GHSA-gfhq-7499-f3f2 and the Miraheze issue tracker at https://issue-tracker.miraheze.org/T15053.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-10067
Vulnerability details
TSPortal is the WikiTide Foundation’s in-house platform used by the Trust and Safety team to manage reports, investigations, appeals, and transparency work. Prior to version 30, conversion of empty strings to null allows disguising DPA reports as genuine self-deletion reports.…
more
This issue has been patched in version 30.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vuln in public-facing TSPortal web platform allows unauthenticated remote submission of crafted reports via string-to-null logic flaw, directly enabling T1190 (Exploit Public-Facing Application) for initial interaction and T1565 (Data Manipulation) via misrepresentation of report types affecting processing workflows.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-10 mandates validation of information inputs to prevent improper handling of empty strings as null, directly blocking the disguise of DPA reports as self-deletion reports.
SI-2 requires timely identification and remediation of flaws like the empty string to null conversion vulnerability, as addressed by the patch in TSPortal version 30.
SI-9 restricts characteristics of inputs such as report types to exclude empty or null values, mitigating attempts to misrepresent report categories.