Tiki

By the Year

In 2026 there have been 2 vulnerabilities in Tiki with an average score of 5.4 out of ten. Last year, in 2025 Tiki had 3 security vulnerabilities published. If vulnerabilities keep coming in at the current rate, it appears that number of security vulnerabilities in Tiki in 2026 could surpass last years number. Last year, the average CVE base score was greater by 4.50

Recent Tiki Security Vulnerabilities

CVE	Date	Vulnerability	Products
CVE-2024-46878	Mar 23, 2026	XSS in tiki-editpage.php 'page' param in Tiki 26.3 A Cross-Site Scripting (XSS) vulnerability exists in the page parameter of tiki-editpage.php in Tiki version 26.3 and earlier. This vulnerability allows attackers to execute arbitrary JavaScript code via a crafted payload, leading to potential access to sensitive information or unauthorized actions.	Tiki
CVE-2024-46879	Mar 23, 2026	Tiki 21.2 Reflected XSS in tiki-admin_system.php zipPath A Reflected Cross-Site Scripting (XSS) vulnerability exists in the POST request data zipPath of tiki-admin_system.php in Tiki version 21.2. This vulnerability allows attackers to execute arbitrary JavaScript code via a crafted payload, leading to potential access to sensitive information or unauthorized actions.	Tiki
CVE-2025-34113	Jul 15, 2025	Tiki Wiki CMS 14.1 Auth Command Injection via viewmode (CVE-2025-34113) An authenticated command injection vulnerability exists in Tiki Wiki CMS versions 14.1, 12.4 LTS, 9.10 LTS, and 6.14 via the `viewmode` GET parameter in `tiki-calendar.php`. When the calendar module is enabled and an authenticated user has permission to access it, an attacker can inject and execute arbitrary PHP code. Successful exploitation leads to remote code execution in the context of the web server user.	Tikiwiki Cmsgroupware
CVE-2025-34111	Jul 15, 2025	Tiki Wiki CMS G/W 15.1- unauthed arbitrary file upload via ELFinder An unauthenticated arbitrary file upload vulnerability exists in Tiki Wiki CMS Groupware version 15.1 and earlier via the ELFinder component's default connector (connector.minimal.php), which allows remote attackers to upload and execute malicious PHP scripts in the context of the web server. The vulnerable component does not enforce file type validation, allowing attackers to craft a POST request to upload executable PHP payloads through the ELFinder interface exposed at /vendor_extra/elfinder/.	Tikiwiki Cmsgroupware
CVE-2025-32461	Apr 09, 2025	Tiki Wiki CVE eval injection via wikiplugin_includetpl <v28.3 wikiplugin_includetpl in lib/wiki-plugins/wikiplugin_includetpl.php in Tiki before 28.3 mishandles input to an eval. The fixed versions are 21.12, 24.8, 27.2, and 28.3.	Tiki
CVE-2024-47920	Dec 30, 2024	Tiki Wiki CMS XSS via Improper Input Neutralization Tiki Wiki CMS CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')	Tiki
CVE-2024-51506	Oct 28, 2024	Tiki 27.0 Stored XSS via description field Tiki through 27.0 allows users who have certain permissions to insert a "Create a Wiki Pages" stored XSS payload in the description.	Tiki
CVE-2024-51509	Oct 28, 2024	CVE-2024-51509: Tiki 27.0 Stored XSS via Admin Modules Tiki through 27.0 allows users who have certain permissions to insert a "Modules" (aka tiki-admin_modules.php) stored XSS payload in the Name.	Tiki
CVE-2024-51508	Oct 28, 2024	Tiki <=27.0 Stored XSS via Create/Edit External Wiki index Insert Tiki through 27.0 allows users who have certain permissions to insert a "Create/Edit External Wiki" stored XSS payload in the Index.	Tiki
CVE-2024-51507	Oct 28, 2024	Tiki CMS 27.0 Stored XSS via External Wiki Name Field Tiki through 27.0 allows users who have certain permissions to insert a "Create/Edit External Wiki" stored XSS payload in the Name.	Tiki