CVE-2026-29788
Received Received - Intake
Null Conversion Vulnerability in TSPortal Enables Report Spoofing

Publication date: 2026-03-06

Last updated on: 2026-03-11

Assigner: GitHub, Inc.

Description
TSPortal is the WikiTide Foundation’s in-house platform used by the Trust and Safety team to manage reports, investigations, appeals, and transparency work. Prior to version 30, conversion of empty strings to null allows disguising DPA reports as genuine self-deletion reports. This issue has been patched in version 30.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-06
Last Modified
2026-03-11
Generated
2026-06-16
AI Q&A
2026-03-06
EPSS Evaluated
2026-06-15
NVD
CVE-2026-29788
EUVD
EUVD-2026-10067
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wikitide tsportal to 30 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1287 The product receives input that is expected to be of a certain type, but it does not validate or incorrectly validates that the input is actually of the expected type.
CWE-283 The product does not properly verify that a critical resource is owned by the proper entity.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

This vulnerability can lead to unauthorized deletion of arbitrary user data within the TSPortal system and potentially in integrated systems.

The impact affects data integrity and system availability, as attackers can remotely delete user data without consent or authentication.

Confidentiality is not affected, but the loss or alteration of data can disrupt operations and trust in the system.

Compliance Impact

I don't know

Executive Summary

CVE-2026-29788 is a high-severity vulnerability in the Miraheze TSPortal system versions up to 29, patched in version 30. The issue occurs because empty strings submitted in Data Protection Act (DPA) reports are converted to null values by middleware, and the system lacks proper validation for the evidence field.

This allows an attacker to submit a forged DPA report about another user, leaving the evidence field empty, which the system mistakenly treats as a genuine self-deletion request from the reported user.

As a result, attackers can remotely and without any privileges or user interaction trigger unauthorized deletion of arbitrary user data.

Detection Guidance

[{'type': 'paragraph', 'content': 'Detection of this vulnerability involves identifying attempts to submit DPA reports with empty evidence fields that are processed as self-deletion requests.'}, {'type': 'paragraph', 'content': 'One method is to monitor logs or network traffic for POST requests to the DPA reporting endpoint where the evidence field is empty or null.'}, {'type': 'paragraph', 'content': 'For example, you can use commands to search web server logs for suspicious DPA report submissions with empty evidence fields.'}, {'type': 'list_item', 'content': "Using grep on server logs: grep -i 'dpa' /var/log/apache2/access.log | grep 'evidence='"}, {'type': 'list_item', 'content': 'Check for evidence parameter being empty or null in HTTP POST data.'}, {'type': 'list_item', 'content': 'Monitor application logs for entries where DPAController::store() processes reports with empty evidence.'}] [1, 2]

Mitigation Strategies

Immediate mitigation steps include disabling the middleware feature that converts empty strings to null (convertEmptyStringsToNull) in the Laravel framework used by TSPortal.

Additionally, enforce validation in the DPAController::store() method to ensure that the evidence field is not empty before processing the report.

Upgrading to version 30 or later of the TSPortal software, where this issue has been patched, is strongly recommended.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-29788. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart