CVE-2026-29788
Null Conversion Vulnerability in TSPortal Enables Report Spoofing
Publication date: 2026-03-06
Last updated on: 2026-03-11
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wikitide | tsportal | to 30 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-283 | The product does not properly verify that a critical resource is owned by the proper entity. |
| CWE-1287 | The product receives input that is expected to be of a certain type, but it does not validate or incorrectly validates that the input is actually of the expected type. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-29788 is a high-severity vulnerability in the Miraheze TSPortal system versions up to 29, patched in version 30. The issue occurs because empty strings submitted in Data Protection Act (DPA) reports are converted to null values by middleware, and the system lacks proper validation for the evidence field.
This allows an attacker to submit a forged DPA report about another user, leaving the evidence field empty, which the system mistakenly treats as a genuine self-deletion request from the reported user.
As a result, attackers can remotely and without any privileges or user interaction trigger unauthorized deletion of arbitrary user data.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'Detection of this vulnerability involves identifying attempts to submit DPA reports with empty evidence fields that are processed as self-deletion requests.'}, {'type': 'paragraph', 'content': 'One method is to monitor logs or network traffic for POST requests to the DPA reporting endpoint where the evidence field is empty or null.'}, {'type': 'paragraph', 'content': 'For example, you can use commands to search web server logs for suspicious DPA report submissions with empty evidence fields.'}, {'type': 'list_item', 'content': "Using grep on server logs: grep -i 'dpa' /var/log/apache2/access.log | grep 'evidence='"}, {'type': 'list_item', 'content': 'Check for evidence parameter being empty or null in HTTP POST data.'}, {'type': 'list_item', 'content': 'Monitor application logs for entries where DPAController::store() processes reports with empty evidence.'}] [1, 2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include disabling the middleware feature that converts empty strings to null (convertEmptyStringsToNull) in the Laravel framework used by TSPortal.
Additionally, enforce validation in the DPAController::store() method to ensure that the evidence field is not empty before processing the report.
Upgrading to version 30 or later of the TSPortal software, where this issue has been patched, is strongly recommended.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized deletion of arbitrary user data within the TSPortal system and potentially in integrated systems.
The impact affects data integrity and system availability, as attackers can remotely delete user data without consent or authentication.
Confidentiality is not affected, but the loss or alteration of data can disrupt operations and trust in the system.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know