Cyber Resilience

CVE-2026-29788

HighPublic PoC

Published: 06 March 2026

Published
06 March 2026
Modified
11 March 2026
KEV Added
Patch
CVSS Score v4 8.4 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:H/SC:N/SI:L/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0026 17.4th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-29788 is a high-severity Unverified Ownership (CWE-283) vulnerability in Wikitide Tsportal. Its CVSS base score is 8.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 17.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-29788 is a vulnerability in TSPortal, the WikiTide Foundation’s in-house platform used by the Trust and Safety team to manage reports, investigations, appeals, and transparency work. Prior to version 30, the platform's conversion of empty strings to null enables attackers to disguise DPA reports as genuine self-deletion reports. Published on 2026-03-06, the issue carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) and maps to CWE-283 and CWE-1287.

Unauthenticated attackers can exploit this vulnerability over the network with low attack complexity and no user interaction. By submitting specially crafted reports that exploit the string-to-null conversion, they can misrepresent DPA reports as self-deletion reports, achieving high integrity impact through manipulation of report processing and potentially misleading Trust and Safety workflows.

The vulnerability has been patched in TSPortal version 30. Advisories recommend upgrading to this version or later. Further details are provided in the GitHub security advisory at https://github.com/miraheze/TSPortal/security/advisories/GHSA-gfhq-7499-f3f2 and the Miraheze issue tracker at https://issue-tracker.miraheze.org/T15053.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

TSPortal is the WikiTide Foundation’s in-house platform used by the Trust and Safety team to manage reports, investigations, appeals, and transparency work. Prior to version 30, conversion of empty strings to null allows disguising DPA reports as genuine self-deletion reports.…

more

This issue has been patched in version 30.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1565 Data Manipulation Impact
Adversaries may insert, delete, or manipulate data in order to influence external outcomes or hide activity, thus threatening the integrity of the data.
Why these techniques?

Vuln in public-facing TSPortal web platform allows unauthenticated remote submission of crafted reports via string-to-null logic flaw, directly enabling T1190 (Exploit Public-Facing Application) for initial interaction and T1565 (Data Manipulation) via misrepresentation of report types affecting processing workflows.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-33806Shared CWE-1287
CVE-2026-20119Shared CWE-1287
CVE-2025-12977Shared CWE-1287
CVE-2026-2004Shared CWE-1287
CVE-2026-9521Shared CWE-1287
CVE-2025-20621Shared CWE-1287
CVE-2026-2092Shared CWE-1287
CVE-2026-20912Shared CWE-283
CVE-2025-24876Shared CWE-1287
CVE-2024-12756Shared CWE-1287

Affected Assets

wikitide
tsportal
≤ 30

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-10 mandates validation of information inputs to prevent improper handling of empty strings as null, directly blocking the disguise of DPA reports as self-deletion reports.

preventrecover

SI-2 requires timely identification and remediation of flaws like the empty string to null conversion vulnerability, as addressed by the patch in TSPortal version 30.

prevent

SI-9 restricts characteristics of inputs such as report types to exclude empty or null values, mitigating attempts to misrepresent report categories.

References