CVE-2020-15906

CRITICAL NUCLEI

Tiki 16.3-21.1 - Authentication Bypass via Excessive Login Attempts

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2020-15906. PoCs published by S1lkys, securitystuffbackup. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains a Python script and writeup for CVE-2020-15906, an authentication bypass vulnerability in Tiki Wiki CMS Groupware versions 16.x to 21.1. The exploit brute-forces the admin account until it is locked, then bypasses authentication by submitting an empty password.

Description

tiki-login.php in Tiki before 21.2 sets the admin password to a blank value after 50 invalid login attempts.

Exploits (2)

nomisec WORKING POC 49 stars

by S1lkys · poc

https://github.com/S1lkys/CVE-2020-15906

View Code ZIP pw:eip

This repository contains a Python script and writeup for CVE-2020-15906, an authentication bypass vulnerability in Tiki Wiki CMS Groupware versions 16.x to 21.1. The exploit brute-forces the admin account until it is locked, then bypasses authentication by submitting an empty password.

Classification

Working Poc 95%

Attack Type

Auth Bypass

Complexity

Moderate

Reliability

Reliable

Target: Tiki Wiki CMS Groupware 16.x - 21.1

No auth needed

Prerequisites: Network access to the Tiki Wiki login page · Admin account must be brute-forced until locked

MITRE ATT&CK

T1110 - Brute Force T1078 - Valid Accounts

devstral-2 · analyzed Feb 16, 2026 Full analysis →

gitlab WORKING POC

by securitystuffbackup · poc

https://gitlab.com/securitystuffbackup/CVE-2020-15906

View Code ZIP pw:eip

The repository contains a functional Python exploit for CVE-2020-15906, an authentication bypass vulnerability in Tiki Wiki CMS Groupware 16.x to 21.1. The exploit brute-forces the admin account until it is locked, then bypasses authentication by sending a login request without a password.

Classification

Working Poc 95%

Attack Type

Auth Bypass

Complexity

Moderate

Reliability

Reliable

Target: Tiki Wiki CMS Groupware 16.x - 21.1

No auth needed

Prerequisites: Network access to the target Tiki Wiki CMS · Admin account must be brute-forced until locked

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1078 - Valid Accounts

devstral-2 · analyzed Feb 23, 2026 Full analysis →

Nuclei Templates (1)

Tiki Wiki CMS GroupWare - Authentication Bypass

CRITICALby JeonSungHyun[nukunga],gy741,oIfloraIo,nechyo,harksu

Shodan: title:"Tiki Wiki CMS"

FOFA: title="Tiki Wiki CMS"

References (2)

Core 2

Core References

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

http://packetstormsecurity.com/files/159663/Tiki-Wiki-CMS-Groupware-21.1-Authentication-Bypass.html

Patch, Vendor Advisory x_refsource_misc

https://info.tiki.org/article473-Security-Releases-of-all-Tiki-versions-since-16-3

Scores

CVSS v3 9.8

EPSS 0.2670

EPSS Percentile 97.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-307

Status published

Products (1)

tiki/tiki 16.3 - 21.2

Published Oct 22, 2020

Tracked Since Feb 18, 2026