Tiki Wiki CMS 関連製品全体の CVE とセキュリティ脆弱性情報を集約し、CVSS、EPSS、公開日、脆弱性情報データを掲載しています。
過去の問題は主に vendor risk sql injection and vendor risk input validation などに関し、一部は vendor impact unexpected behavior を招き、vendor surface software deployment and vendor surface production workloads 関連の場面に影響します。
掲載データは公開脆弱性情報とセキュリティ公告に基づき、過去の暴露面と修補優先度の評価に利用できます。
| CVE | 概要 | ソース | CVSS 最大値 | EPSS(%) | 公開 | 更新 |
|---|---|---|---|---|---|---|
| CVE-2024-46879 | A Reflected Cross-Site Scripting (XSS) vulnerability exists in the POST request data zipPath of tiki-admin_system.php in Tiki version 21.2. This vulnerability allows attackers to execute arbitrary JavaScript code via a crafted payload, leading to potential access to sensitive information or unauthorized actions. | [email protected] | 5.4 | 0.02% | 2026-03-23 | 2026-04-02 |
| CVE-2024-46878 | A Cross-Site Scripting (XSS) vulnerability exists in the page parameter of tiki-editpage.php in Tiki version 26.3 and earlier. This vulnerability allows attackers to execute arbitrary JavaScript code via a crafted payload, leading to potential access to sensitive information or unauthorized actions. | [email protected] | 5.4 | 0.02% | 2026-03-23 | 2026-04-02 |
| CVE-2025-34111 | An unauthenticated arbitrary file upload vulnerability exists in Tiki Wiki CMS Groupware version 15.1 and earlier via the ELFinder component's default connector (connector.minimal.php), which allows remote attackers to upload and execute malicious PHP scripts in the context of the web server. The vulnerable component does not enforce file type validation, allowing attackers to craft a POST request to upload executable PHP payloads through the ELFinder interface exposed at /vendor_extra/elfinder/ | [email protected] | 9.3 | 83.87% | 2025-07-15 | 2025-10-03 |
| CVE-2024-51509 | Tiki through 27.0 allows users who have certain permissions to insert a "Modules" (aka tiki-admin_modules.php) stored XSS payload in the Name. | [email protected] | 4.8 | 0.19% | 2024-10-28 | 2025-06-03 |
| CVE-2024-51508 | Tiki through 27.0 allows users who have certain permissions to insert a "Create/Edit External Wiki" stored XSS payload in the Index. | [email protected] | 4.8 | 0.19% | 2024-10-28 | 2025-06-03 |
| CVE-2024-51507 | Tiki through 27.0 allows users who have certain permissions to insert a "Create/Edit External Wiki" stored XSS payload in the Name. | [email protected] | 4.8 | 0.05% | 2024-10-28 | 2025-06-03 |
| CVE-2024-51506 | Tiki through 27.0 allows users who have certain permissions to insert a "Create a Wiki Pages" stored XSS payload in the description. | [email protected] | 4.8 | 0.05% | 2024-10-28 | 2025-06-03 |
| CVE-2023-22851 | Tiki before 24.2 allows lib/importer/tikiimporter_blog_wordpress.php PHP Object Injection by an admin because of an unserialize call. | [email protected] | 7.2 | 0.76% | 2023-01-14 | 2025-04-04 |
| CVE-2023-22850 | Tiki before 24.1, when the Spreadsheets feature is enabled, allows lib/sheet/grid.php PHP Object Injection because of an unserialize call. | [email protected] | 8.8 | 1.31% | 2023-01-14 | 2025-04-07 |
| CVE-2023-22853 | Tiki before 24.1, when feature_create_webhelp is enabled, allows lib/structures/structlib.php PHP Object Injection because of an eval. | [email protected] | 8.8 | 1.11% | 2023-01-14 | 2025-04-07 |
| CVE-2023-22852 | Tiki through 25.0 allows CSRF attacks that are related to tiki-importer.php and tiki-import_sheet.php. | [email protected] | 6.5 | 0.12% | 2023-01-14 | 2025-04-07 |
| CVE-2021-36551 | TikiWiki v21.4 was discovered to contain a cross-site scripting (XSS) vulnerability in the component tiki-calendar.php. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload under the Add Event module. | [email protected] | 5.4 | 0.18% | 2021-10-28 | 2024-11-21 |
| CVE-2021-36550 | TikiWiki v21.4 was discovered to contain a cross-site scripting (XSS) vulnerability in the component tiki-browse_categories.php. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload under the Create category module. | [email protected] | 5.4 | 0.18% | 2021-10-28 | 2024-11-21 |
| CVE-2020-29254 | TikiWiki 21.2 allows templates to be edited without CSRF protection. This could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack and perform arbitrary actions on an affected system. The vulnerability is due to insufficient CSRF protections for the web-based management interface of the affected system. An attacker could exploit this vulnerability by persuading a user of the interface to follow a maliciously crafted link. A successful exploit could al | [email protected] | 8.8 | 3.30% | 2020-12-11 | 2024-11-21 |
| CVE-2020-15906 | tiki-login.php in Tiki before 21.2 sets the admin password to a blank value after 50 invalid login attempts. | [email protected] | 9.8 | 85.57% | 2020-10-22 | 2024-11-21 |
| CVE-2020-16131 | Tiki before 21.2 allows XSS because [\s\/"\'] is not properly considered in lib/core/TikiFilter/PreventXss.php. | [email protected] | 6.1 | 0.36% | 2020-08-03 | 2024-11-21 |
| CVE-2020-8966 | There is an Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in php webpages of Tiki-Wiki Groupware. Tiki-Wiki CMS all versions through 20.0 allows malicious users to cause the injection of malicious code fragments (scripts) into a legitimate web page. | [email protected] | 6.5 | 0.31% | 2020-04-01 | 2024-11-21 |
| CVE-2013-6022 | A Cross-Site Scripting (XSS) vulnerability exists in Tiki Wiki CMG Groupware 11.0 via the id paraZeroClipboard.swf, which could let a remote malicious user execute arbitrary code. | [email protected] | 6.1 | 0.21% | 2020-02-12 | 2024-11-21 |
| CVE-2011-4558 | Tiki 8.2 and earlier allows remote administrators to execute arbitrary PHP code via crafted input to the regexres and regex parameters. | [email protected] | 7.2 | 3.23% | 2020-01-27 | 2024-11-21 |
| CVE-2011-4336 | Tiki Wiki CMS Groupware 7.0 has XSS via the GET "ajax" parameter to snarf_ajax.php. | [email protected] | 6.1 | 0.93% | 2020-01-15 | 2024-11-21 |