Affected Products

Vendor / product matrix with CVE counts sourced from the CPE catalog.

Export CSV

Products

1 vendor
VendorProductsCVEsKEVAvg EPSSWorst Severity
tiki
221020.4%CRITICAL

Related CVEs

21
CVE IDDescriptionSeverityCVSSKEVEPSSPublished
CVE-2024-46879A Reflected Cross-Site Scripting (XSS) vulnerability exists in the POST request data zipPath of tiki-admin_system.php in Tiki version 21.2. This vulnerability allows attackers to execute arbitrary JavaScript code via a crafted payload, leading to potential access to sensitive information or unauthorized actions.MEDIUM5.49.4%Mar 23, 2026
CVE-2024-46878A Cross-Site Scripting (XSS) vulnerability exists in the page parameter of tiki-editpage.php in Tiki version 26.3 and earlier. This vulnerability allows attackers to execute arbitrary JavaScript code via a crafted payload, leading to potential access to sensitive information or unauthorized actions.MEDIUM5.49.4%Mar 23, 2026
CVE-2025-34111An unauthenticated arbitrary file upload vulnerability exists in Tiki Wiki CMS Groupware version 15.1 and earlier via the ELFinder component's default connector (connector.minimal.php), which allows remote attackers to upload and execute malicious PHP scripts in the context of the web server. The vulnerable component does not enforce file type validation, allowing attackers to craft a POST request to upload executable PHP payloads through the ELFinder interface exposed at /vendor_extra/elfinder/.CRITICAL9.371.4%Jul 15, 2025
CVE-2024-51509Tiki through 27.0 allows users who have certain permissions to insert a "Modules" (aka tiki-admin_modules.php) stored XSS payload in the Name.MEDIUM4.811.9%Oct 28, 2024
CVE-2024-51508Tiki through 27.0 allows users who have certain permissions to insert a "Create/Edit External Wiki" stored XSS payload in the Index.MEDIUM4.814.4%Oct 28, 2024
CVE-2024-51507Tiki through 27.0 allows users who have certain permissions to insert a "Create/Edit External Wiki" stored XSS payload in the Name.MEDIUM4.814.4%Oct 28, 2024
CVE-2024-51506Tiki through 27.0 allows users who have certain permissions to insert a "Create a Wiki Pages" stored XSS payload in the description.MEDIUM4.811.9%Oct 28, 2024
CVE-2023-22851Tiki before 24.2 allows lib/importer/tikiimporter_blog_wordpress.php PHP Object Injection by an admin because of an unserialize call.HIGH7.2Jan 14, 2023
CVE-2023-22850Tiki before 24.1, when the Spreadsheets feature is enabled, allows lib/sheet/grid.php PHP Object Injection because of an unserialize call.HIGH8.8Jan 14, 2023
CVE-2023-22853Tiki before 24.1, when feature_create_webhelp is enabled, allows lib/structures/structlib.php PHP Object Injection because of an eval.HIGH8.8Jan 14, 2023
CVE-2023-22852Tiki through 25.0 allows CSRF attacks that are related to tiki-importer.php and tiki-import_sheet.php.MEDIUM6.5Jan 14, 2023
CVE-2021-36551TikiWiki v21.4 was discovered to contain a cross-site scripting (XSS) vulnerability in the component tiki-calendar.php. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload under the Add Event module.MEDIUM5.4Oct 28, 2021
CVE-2021-36550TikiWiki v21.4 was discovered to contain a cross-site scripting (XSS) vulnerability in the component tiki-browse_categories.php. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload under the Create category module.MEDIUM5.4Oct 28, 2021
CVE-2020-29254TikiWiki 21.2 allows templates to be edited without CSRF protection. This could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack and perform arbitrary actions on an affected system. The vulnerability is due to insufficient CSRF protections for the web-based management interface of the affected system. An attacker could exploit this vulnerability by persuading a user of the interface to follow a maliciously crafted link. A successful exploit could allow the attacker to perform arbitrary actions on an affected system with the privileges of the user. These action include allowing attackers to submit their own code through an authenticated user resulting in local file Inclusion. If an authenticated user who is able to edit TikiWiki templates visits an malicious website, template code can be edited.HIGH8.8Dec 11, 2020
CVE-2020-15906tiki-login.php in Tiki before 21.2 sets the admin password to a blank value after 50 invalid login attempts.CRITICAL9.8Oct 22, 2020
CVE-2020-16131Tiki before 21.2 allows XSS because [\s\/"\'] is not properly considered in lib/core/TikiFilter/PreventXss.php.MEDIUM6.1Aug 3, 2020
CVE-2020-8966There is an Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in php webpages of Tiki-Wiki Groupware. Tiki-Wiki CMS all versions through 20.0 allows malicious users to cause the injection of malicious code fragments (scripts) into a legitimate web page.MEDIUM6.1Apr 1, 2020
CVE-2013-6022A Cross-Site Scripting (XSS) vulnerability exists in Tiki Wiki CMG Groupware 11.0 via the id paraZeroClipboard.swf, which could let a remote malicious user execute arbitrary code.MEDIUM6.1Feb 12, 2020
CVE-2011-4558Tiki 8.2 and earlier allows remote administrators to execute arbitrary PHP code via crafted input to the regexres and regex parameters.HIGH7.2Jan 27, 2020
CVE-2011-4336Tiki Wiki CMS Groupware 7.0 has XSS via the GET "ajax" parameter to snarf_ajax.php.MEDIUM6.1Jan 15, 2020