CVE-2026-29788

HighPublic PoC

Published: 06 March 2026

Published

06 March 2026

Modified

11 March 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS Score 0.0004 11.8th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-29788 is a high-severity Unverified Ownership (CWE-283) vulnerability in Wikitide Tsportal. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 11.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique.

Threat & Defense Details

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1565 Data Manipulation Impact

Adversaries may insert, delete, or manipulate data in order to influence external outcomes or hide activity, thus threatening the integrity of the data.

attack.mitre.org →

Why these techniques?

Vuln in public-facing TSPortal web platform allows unauthenticated remote submission of crafted reports via string-to-null logic flaw, directly enabling T1190 (Exploit Public-Facing Application) for initial interaction and T1565 (Data Manipulation) via misrepresentation of report types affecting processing workflows.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

TSPortal is the WikiTide Foundation’s in-house platform used by the Trust and Safety team to manage reports, investigations, appeals, and transparency work. Prior to version 30, conversion of empty strings to null allows disguising DPA reports as genuine self-deletion reports.…

This issue has been patched in version 30.

Deeper analysisAI

CVE-2026-29788 is a vulnerability in TSPortal, the WikiTide Foundation’s in-house platform used by the Trust and Safety team to manage reports, investigations, appeals, and transparency work. Prior to version 30, the platform's conversion of empty strings to null enables attackers to disguise DPA reports as genuine self-deletion reports. Published on 2026-03-06, the issue carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) and maps to CWE-283 and CWE-1287.

Unauthenticated attackers can exploit this vulnerability over the network with low attack complexity and no user interaction. By submitting specially crafted reports that exploit the string-to-null conversion, they can misrepresent DPA reports as self-deletion reports, achieving high integrity impact through manipulation of report processing and potentially misleading Trust and Safety workflows.

The vulnerability has been patched in TSPortal version 30. Advisories recommend upgrading to this version or later. Further details are provided in the GitHub security advisory at https://github.com/miraheze/TSPortal/security/advisories/GHSA-gfhq-7499-f3f2 and the Miraheze issue tracker at https://issue-tracker.miraheze.org/T15053.

Details

CWE(s): CWE-283 CWE-1287

Affected Products

wikitide

tsportal

≤ 30

CVEs Like This One

CVE-2026-33806Shared CWE-1287

CVE-2025-12977Shared CWE-1287

CVE-2026-2092Shared CWE-1287

CVE-2025-20621Shared CWE-1287

CVE-2026-2004Shared CWE-1287

CVE-2026-20119Shared CWE-1287

CVE-2025-24876Shared CWE-1287

CVE-2026-26016Shared CWE-283

CVE-2024-5594Shared CWE-1287

CVE-2026-26115Shared CWE-1287

References

https://github.com/miraheze/TSPortal/security/advisories/GHSA-gfhq-7499-f3f2
Exploit, Vendor Advisory · security-advisories@github.com
https://issue-tracker.miraheze.org/T15053
Issue Tracking · security-advisories@github.com