CVE-2025-34113

HIGH

Tiki Wiki CMS <14.1-6.14 - Command Injection

Title source: llm

Description

An authenticated command injection vulnerability exists in Tiki Wiki CMS versions ≤14.1, ≤12.4 LTS, ≤9.10 LTS, and ≤6.14 via the `viewmode` GET parameter in `tiki-calendar.php`. When the calendar module is enabled and an authenticated user has permission to access it, an attacker can inject and execute arbitrary PHP code. Successful exploitation leads to remote code execution in the context of the web server user.

Exploits (2)

exploitdb WORKING POC VERIFIED

by Dany Ouellet · textwebappsphp

https://www.exploit-db.com/exploits/39965

View Code ZIP pw:eip

metasploit WORKING POC EXCELLENT

by h00die <[email protected]>, Dany Ouellet · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/tiki_calendar_exec.rb

View Code ZIP pw:eip

References (5)

[Various Sources] https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/linux/http/tiki_calendar_exec.rb

[Various Sources] https://tiki.org/article414-Important-Security-Fix-for-all-versions-of-Tiki

[Various Sources] https://www.acunetix.com/vulnerabilities/web/tiki-wiki-cms-remote-code-execution-via-calendar-module/

[Exploit, Third Party Advisory] https://www.exploit-db.com/exploits/39965

[Third Party Advisory] https://www.vulncheck.com/advisories/tiki-wiki-cms-authenticated-command-injection-in-calendar-module

Scores

CVSS v4 8.7

EPSS 0.4437

EPSS Percentile 97.6%

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Details

CWE

CWE-20 CWE-306 CWE-78

Status published

Products (4)

Tiki Software Community Association/Wiki CMS Groupware < 12.4 LTS

Tiki Software Community Association/Wiki CMS Groupware < 14.1

Tiki Software Community Association/Wiki CMS Groupware < 6.14

Tiki Software Community Association/Wiki CMS Groupware < 9.10 LTS

Published Jul 15, 2025

Tracked Since Feb 18, 2026