TikiCVEs & Vulnerabilities

89 CVEs affecting Tiki products, tracked from the National Vulnerability Database, with CVSS/EPSS scores and exploitation status.

Most Affected Products

tikiwiki cms\/groupware 365tiki 16
CVE-2025-34111CRITICAL

An unauthenticated arbitrary file upload vulnerability exists in Tiki Wiki CMS Groupware version 15.1 and earlier via the ELFinder component's default connector (connector.minimal.php), which allows remote attackers to upload and execute malicious PHP scripts in the context of the web server. The vulnerable component does not enforce file type validation, allowing attackers to craft a POST request to upload executable PHP payloads through the ELFinder interface exposed at /vendor_extra/elfinder/.

15 Jul 2025
9.8
CVSS
CVE-2024-51509MEDIUM

Tiki through 27.0 allows users who have certain permissions to insert a "Modules" (aka tiki-admin_modules.php) stored XSS payload in the Name.

29 Oct 2024
4.8
CVSS
CVE-2024-51508MEDIUM

Tiki through 27.0 allows users who have certain permissions to insert a "Create/Edit External Wiki" stored XSS payload in the Index.

29 Oct 2024
4.8
CVSS
CVE-2024-51507MEDIUM

Tiki through 27.0 allows users who have certain permissions to insert a "Create/Edit External Wiki" stored XSS payload in the Name.

29 Oct 2024
4.8
CVSS
CVE-2024-51506MEDIUM

Tiki through 27.0 allows users who have certain permissions to insert a "Create a Wiki Pages" stored XSS payload in the description.

29 Oct 2024
4.8
CVSS
CVE-2023-22851HIGH

Tiki before 24.2 allows lib/importer/tikiimporter_blog_wordpress.php PHP Object Injection by an admin because of an unserialize call.

14 Jan 2023
7.2
CVSS
CVE-2023-22850HIGH

Tiki before 24.1, when the Spreadsheets feature is enabled, allows lib/sheet/grid.php PHP Object Injection because of an unserialize call.

14 Jan 2023
8.8
CVSS
CVE-2023-22853HIGH

Tiki before 24.1, when feature_create_webhelp is enabled, allows lib/structures/structlib.php PHP Object Injection because of an eval.

14 Jan 2023
8.8
CVSS
CVE-2023-22852MEDIUM

Tiki through 25.0 allows CSRF attacks that are related to tiki-importer.php and tiki-import_sheet.php.

14 Jan 2023
6.5
CVSS
CVE-2021-36551MEDIUM

TikiWiki v21.4 was discovered to contain a cross-site scripting (XSS) vulnerability in the component tiki-calendar.php. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload under the Add Event module.

28 Oct 2021
5.4
CVSS
CVE-2021-36550MEDIUM

TikiWiki v21.4 was discovered to contain a cross-site scripting (XSS) vulnerability in the component tiki-browse_categories.php. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload under the Create category module.

28 Oct 2021
5.4
CVSS
CVE-2020-29254HIGH

TikiWiki 21.2 allows templates to be edited without CSRF protection. This could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack and perform arbitrary actions on an affected system. The vulnerability is due to insufficient CSRF protections for the web-based management interface of the affected system. An attacker could exploit this vulnerability by persuading a user of the interface to follow a maliciously crafted link. A successful exploit could allow the attacker to perform arbitrary actions on an affected system with the privileges of the user. These action include allowing attackers to submit their own code through an authenticated user resulting in local file Inclusion. If an authenticated user who is able to edit TikiWiki templates visits an malicious website, template code can be edited.

11 Dec 2020
8.8
CVSS
CVE-2020-15906CRITICAL

tiki-login.php in Tiki before 21.2 sets the admin password to a blank value after 50 invalid login attempts.

22 Oct 2020
9.8
CVSS
CVE-2020-16131MEDIUM

Tiki before 21.2 allows XSS because [\s\/"\'] is not properly considered in lib/core/TikiFilter/PreventXss.php.

3 Aug 2020
6.1
CVSS
CVE-2020-8966MEDIUM

There is an Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in php webpages of Tiki-Wiki Groupware. Tiki-Wiki CMS all versions through 20.0 allows malicious users to cause the injection of malicious code fragments (scripts) into a legitimate web page.

2 Apr 2020
6.1
CVSS
CVE-2013-6022MEDIUM

A Cross-Site Scripting (XSS) vulnerability exists in Tiki Wiki CMG Groupware 11.0 via the id paraZeroClipboard.swf, which could let a remote malicious user execute arbitrary code.

13 Feb 2020
6.1
CVSS
CVE-2011-4558HIGHpoc

Tiki 8.2 and earlier allows remote administrators to execute arbitrary PHP code via crafted input to the regexres and regex parameters.

27 Jan 2020
7.2
CVSS
CVE-2011-4336MEDIUMpoc

Tiki Wiki CMS Groupware 7.0 has XSS via the GET "ajax" parameter to snarf_ajax.php.

15 Jan 2020
6.1
CVSS
CVE-2011-4455MEDIUM

Multiple cross-site scripting vulnerabilities in Tiki 7.2 and earlier allow remote attackers to inject arbitrary web script or HTML via the path info to (1) tiki-admin_system.php, (2) tiki-pagehistory.php, (3) tiki-removepage.php, or (4) tiki-rename_page.php.

20 Nov 2019
6.1
CVSS
CVE-2011-4454MEDIUM

Multiple cross-site scripting vulnerabilities in Tiki 8.0 RC1 and earlier allow remote attackers to inject arbitrary web script or HTML via the path info to (1) tiki-remind_password.php, (2) tiki-index.php, (3) tiki-login_scr.php, or (4) tiki-index.

20 Nov 2019
6.1
CVSS
CVE-2010-4241HIGH

Tiki Wiki CMS Groupware 5.2 has CSRF

28 Oct 2019
8.8
CVSS
CVE-2010-4240MEDIUM

Tiki Wiki CMS Groupware 5.2 has XSS

28 Oct 2019
6.1
CVSS
CVE-2010-4239CRITICAL

Tiki Wiki CMS Groupware 5.2 has Local File Inclusion

28 Oct 2019
9.8
CVSS
CVE-2019-15314MEDIUM

tiki/tiki-upload_file.php in Tiki 18.4 allows remote attackers to upload JavaScript code that is executed upon visiting a tiki/tiki-download_file.php?display&fileId= URI.

22 Aug 2019
5.4
CVSS
CVE-2018-20719HIGH

In Tiki before 17.2, the user task component is vulnerable to a SQL Injection via the tiki-user_tasks.php show_history parameter.

15 Jan 2019
8.8
CVSS
CVE-2018-14850MEDIUM

Stored XSS vulnerabilities in Tiki before 18.2, 15.7 and 12.14 allow an authenticated user injecting JavaScript to gain administrator privileges if an administrator opens a wiki page and moves the mouse pointer over a modified link or thumb image.

13 Aug 2018
5.4
CVSS
CVE-2018-14849MEDIUM

Tiki before 18.2, 15.7 and 12.14 has XSS via link attributes, related to lib/core/WikiParser/OutputLink.php and lib/parser/parserlib.php.

13 Aug 2018
5.4
CVSS
CVE-2018-7290MEDIUM

Cross Site Scripting (XSS) exists in Tiki before 12.13, 15.6, 17.2, and 18.1.

9 Mar 2018
5.4
CVSS
CVE-2018-7304HIGH

Tiki 17.1 does not validate user input for special characters; consequently, a CSV Injection attack can open a CMD.EXE or Calculator window on the victim machine to perform malicious activity, as demonstrated by an "=cmd|' /C calc'!A0" payload during User Creation.

21 Feb 2018
8.8
CVSS
CVE-2018-7303MEDIUM

The Calendar component in Tiki 17.1 allows HTML injection.

21 Feb 2018
5.4
CVSS
CVE-2018-7302MEDIUM

Tiki 17.1 allows upload of a .PNG file that actually has SVG content, leading to XSS.

21 Feb 2018
5.4
CVSS
CVE-2018-7188MEDIUM

An XSS vulnerability (via an SVG image) in Tiki before 18 allows an authenticated user to gain administrator privileges if an administrator opens a wiki page with a malicious SVG image, related to lib/filegals/filegallib.php.

16 Feb 2018
5.4
CVSS
CVE-2016-7394MEDIUM

tiki wiki cms groupware <=15.2 has a xss vulnerability, allow attackers steal user's cookie.

6 Feb 2018
6.1
CVSS
CVE-2017-14925HIGH

Cross-Site Request Forgery (CSRF) vulnerability via IMG element in Tiki before 16.3, 17.x before 17.1, 12 LTS before 12.12 LTS, and 15 LTS before 15.5 LTS allows an authenticated user to edit global permissions if an administrator opens a wiki page with an IMG element, related to tiki-objectpermissions.php. For example, an attacker could assign administrator privileges to every unauthenticated user of the site.

30 Sep 2017
8.0
CVSS
CVE-2017-14924HIGH

Cross-Site Request Forgery (CSRF) vulnerability via IMG element in Tiki before 16.3, 17.x before 17.1, 12 LTS before 12.12 LTS, and 15 LTS before 15.5 LTS allows an authenticated user to gain administrator privileges if an administrator opens a wiki page with an IMG element, related to tiki-assignuser.php.

30 Sep 2017
8.0
CVSS
CVE-2017-9145MEDIUM

TikiFilter.php in Tiki Wiki CMS Groupware 12.x through 16.x does not properly validate the imgsize or lang parameter to prevent XSS.

26 Jun 2017
6.1
CVSS
CVE-2017-9305MEDIUM

lib/core/TikiFilter/PreventXss.php in Tiki Wiki CMS Groupware 16.2 allows remote attackers to bypass the XSS filter via padded zero characters, as demonstrated by an attack on tiki-batch_send_newsletter.php.

31 May 2017
6.1
CVSS
CVE-2016-10143HIGH

A vulnerability in Tiki Wiki CMS 15.2 could allow a remote attacker to read arbitrary files on a targeted system via a crafted pathname in a banner URL field.

20 Jan 2017
7.5
CVSS
CVE-2016-9889MEDIUM

Some forms with the parameter geo_zoomlevel_to_found_location in Tiki Wiki CMS 12.x before 12.10 LTS, 15.x before 15.3 LTS, and 16.x before 16.1 don't have the input sanitized, related to tiki-setup.php and article_image.php. The impact is XSS.

23 Dec 2016
6.1
CVSS
CVE-2013-4715HIGH

SQL injection vulnerability in Tiki Wiki CMS Groupware 6 LTS before 6.13LTS, 9 LTS before 9.7LTS, 10.x before 10.4, and 11.x before 11.1 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

6 Nov 2013
7.5
CVSS
CVE-2013-4714MEDIUM

Cross-site scripting (XSS) vulnerability in Tiki Wiki CMS Groupware 6 LTS before 6.13LTS, 9 LTS before 9.7LTS, 10.x before 10.4, and 11.x before 11.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

6 Nov 2013
4.3
CVSS
CVE-2012-5321MEDIUMpoc

tiki-featured_link.php in TikiWiki CMS/Groupware 8.3 allows remote attackers to load arbitrary web site pages into frames and conduct phishing attacks via the url parameter, aka "frame injection."

8 Oct 2012
5.8
CVSS
CVE-2011-4551MEDIUMpoc

Cross-site scripting (XSS) vulnerability in tiki-cookie-jar.php in TikiWiki CMS/Groupware before 8.2 and LTS before 6.5 allows remote attackers to inject arbitrary web script or HTML via arbitrary parameters.

1 Oct 2012
4.3
CVSS
CVE-2012-3996MEDIUMpoc

TikiWiki CMS/Groupware 8.3 and earlier allows remote attackers to obtain the installation path via a direct request to (1) admin/include_calendar.php, (2) tiki-rss_error.php, or (3) tiki-watershed_service.php.

12 Jul 2012
5.0
CVSS
CVE-2012-0911CRITICALpoc

TikiWiki CMS/Groupware before 6.7 LTS and before 8.4 allows remote attackers to execute arbitrary PHP code via a crafted serialized object in the (1) cookieName to lib/banners/bannerlib.php; (2) printpages or (3) printstructures parameter to (a) tiki-print_multi_pages.php or (b) tiki-print_pages.php; or (4) sendpages, (5) sendstructures, or (6) sendarticles parameter to tiki-send_objects.php, which is not properly handled when processed by the unserialize function.

12 Jul 2012
9.8
CVSS
CVE-2010-1136HIGH

The Standard Remember method in TikiWiki CMS/Groupware 3.x before 3.5 allows remote attackers to bypass access restrictions related to "persistent login," probably due to the generation of predictable cookies based on the IP address and User agent in userslib.php.

27 Mar 2010
7.5
CVSS
CVE-2010-1135HIGH

The user_logout function in TikiWiki CMS/Groupware 4.x before 4.2 does not properly delete user login cookies, which allows remote attackers to gain access via cookie reuse.

27 Mar 2010
7.5
CVSS
CVE-2010-1134HIGH

SQL injection vulnerability in the _find function in searchlib.php in TikiWiki CMS/Groupware 3.x before 3.5 allows remote attackers to execute arbitrary SQL commands via the $searchDate variable.

27 Mar 2010
7.5
CVSS
← PrevPage 1 / 2Next →