Tiki

By the Year

In 2026 there have been 0 vulnerabilities in Tiki. Last year, in 2025 Tiki had 3 security vulnerabilities published. Right now, Tiki is on track to have less security vulnerabilities in 2026 than it did last year.

Recent Tiki Security Vulnerabilities

CVE	Date	Vulnerability	Products
CVE-2025-34113	Jul 15, 2025	Tiki Wiki CMS 14.1 Auth Command Injection via viewmode (CVE-2025-34113) An authenticated command injection vulnerability exists in Tiki Wiki CMS versions 14.1, 12.4 LTS, 9.10 LTS, and 6.14 via the `viewmode` GET parameter in `tiki-calendar.php`. When the calendar module is enabled and an authenticated user has permission to access it, an attacker can inject and execute arbitrary PHP code. Successful exploitation leads to remote code execution in the context of the web server user.	Tikiwiki Cmsgroupware
CVE-2025-34111	Jul 15, 2025	Tiki Wiki CMS G/W 15.1- unauthed arbitrary file upload via ELFinder An unauthenticated arbitrary file upload vulnerability exists in Tiki Wiki CMS Groupware version 15.1 and earlier via the ELFinder component's default connector (connector.minimal.php), which allows remote attackers to upload and execute malicious PHP scripts in the context of the web server. The vulnerable component does not enforce file type validation, allowing attackers to craft a POST request to upload executable PHP payloads through the ELFinder interface exposed at /vendor_extra/elfinder/.	Tikiwiki Cmsgroupware
CVE-2025-32461	Apr 09, 2025	Tiki Wiki CVE eval injection via wikiplugin_includetpl <v28.3 wikiplugin_includetpl in lib/wiki-plugins/wikiplugin_includetpl.php in Tiki before 28.3 mishandles input to an eval. The fixed versions are 21.12, 24.8, 27.2, and 28.3.	Tiki
CVE-2024-47920	Dec 30, 2024	Tiki Wiki CMS XSS via Improper Input Neutralization Tiki Wiki CMS CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')	Tiki
CVE-2024-51507	Oct 28, 2024	Tiki CMS 27.0 Stored XSS via External Wiki Name Field Tiki through 27.0 allows users who have certain permissions to insert a "Create/Edit External Wiki" stored XSS payload in the Name.	Tiki
CVE-2024-51509	Oct 28, 2024	CVE-2024-51509: Tiki 27.0 Stored XSS via Admin Modules Tiki through 27.0 allows users who have certain permissions to insert a "Modules" (aka tiki-admin_modules.php) stored XSS payload in the Name.	Tiki
CVE-2024-51508	Oct 28, 2024	Tiki <=27.0 Stored XSS via Create/Edit External Wiki index Insert Tiki through 27.0 allows users who have certain permissions to insert a "Create/Edit External Wiki" stored XSS payload in the Index.	Tiki
CVE-2024-51506	Oct 28, 2024	Tiki 27.0 Stored XSS via description field Tiki through 27.0 allows users who have certain permissions to insert a "Create a Wiki Pages" stored XSS payload in the description.	Tiki
CVE-2023-22850	Jan 14, 2023	Tiki <24.1 lib/sheet/grid.php PHP Object Injection Tiki before 24.1, when the Spreadsheets feature is enabled, allows lib/sheet/grid.php PHP Object Injection because of an unserialize call.	Tiki
CVE-2023-22851	Jan 14, 2023	Tiki <24.2 PHP OI via tikiimporter_blog_wordpress.php Tiki before 24.2 allows lib/importer/tikiimporter_blog_wordpress.php PHP Object Injection by an admin because of an unserialize call.	Tiki