CVE-2026-33541

Name of the Vulnerable Software and Affected Versions TSPortal versions prior to 34

Description TSPortal, the WikiTide Foundation’s in-house platform used by the Trust and Safety team, was found to have a flaw that allowed attackers to create arbitrary user records in the database. This was possible due to abusing validation logic. While the validation process correctly rejected invalid usernames, a side effect within a validation rule caused user records to be created regardless of whether the request was successful. This could be exploited to cause uncontrolled database growth, potentially leading to a denial of service (DoS). The issue stemmed from performing state-changing operations (User::findOrCreate()) inside validation logic and validation rules executing regardless of overall validation success. Specifically, when submitting a Data Processing Agreement (DPA) request, the DPAAlreadyLive validation rule called User::findOrCreate(), which created a user record if one did not already exist. This occurred even when the username validation (MirahezeUsernameRule) failed. An attacker could automate requests with invalid usernames, resulting in mass creation of arbitrary user records, unbounded database growth, increased storage and indexing overhead, and potential degradation of application performance.

Recommendations Versions prior to 34 should be updated to version 34 or later.