CVE-2025-34113

HIGH

Tiki Wiki CMS <14.1-6.14 - Command Injection

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2025-34113. PoCs published by Dany Ouellet, h00die <[email protected]>, Dany Ouellet, including Metasploit module exploits/linux/http/tiki_calendar_exec.

AI-analyzed exploit summary This exploit demonstrates a remote code execution (RCE) vulnerability in Tiki-Wiki CMS via the 'viewmode' parameter in tiki-calendar.php. The vulnerability allows arbitrary PHP code execution due to improper input sanitization.

Description

An authenticated command injection vulnerability exists in Tiki Wiki CMS versions ≤14.1, ≤12.4 LTS, ≤9.10 LTS, and ≤6.14 via the `viewmode` GET parameter in `tiki-calendar.php`. When the calendar module is enabled and an authenticated user has permission to access it, an attacker can inject and execute arbitrary PHP code. Successful exploitation leads to remote code execution in the context of the web server user.

Exploits (2)

exploitdb WORKING POC VERIFIED

by Dany Ouellet · textwebappsphp

https://www.exploit-db.com/exploits/39965

View Code ZIP pw:eip

This exploit demonstrates a remote code execution (RCE) vulnerability in Tiki-Wiki CMS via the 'viewmode' parameter in tiki-calendar.php. The vulnerability allows arbitrary PHP code execution due to improper input sanitization.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Tiki-Wiki CMS (versions 14.2, 12.5 LTS, 9.11 LTS, and 6.15 if unpatched)

No auth needed

Prerequisites: Access to the tiki-calendar.php endpoint

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

by h00die <[email protected]>, Dany Ouellet · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/tiki_calendar_exec.rb

View Code ZIP pw:eip

This Metasploit module exploits a remote code execution vulnerability in Tiki-Wiki CMS's calendar module via the viewmode GET parameter. It authenticates with provided credentials, sends a malicious payload, and achieves RCE on vulnerable versions.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Tiki-Wiki CMS <=14.1, <=12.4 LTS, <=9.10 LTS, <=6.14

Auth required

Prerequisites: Valid credentials for a user with calendar access · Calendar module enabled

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (5)

Core 5

Core References

Various Sources vendor-advisory patch

https://tiki.org/article414-Important-Security-Fix-for-all-versions-of-Tiki

Exploit, Third Party Advisory exploit

https://www.exploit-db.com/exploits/39965

Various Sources exploit

https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/linux/http/tiki_calendar_exec.rb

Various Sources third-party-advisory

https://www.acunetix.com/vulnerabilities/web/tiki-wiki-cms-remote-code-execution-via-calendar-module/

Third Party Advisory third-party-advisory

https://www.vulncheck.com/advisories/tiki-wiki-cms-authenticated-command-injection-in-calendar-module

Scores

CVSS v4 8.7

EPSS 0.0210

EPSS Percentile 79.3%

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-20 CWE-306 CWE-78

Status published

Products (4)

Tiki Software Community Association/Wiki CMS Groupware < 12.4 LTS

Tiki Software Community Association/Wiki CMS Groupware < 14.1

Tiki Software Community Association/Wiki CMS Groupware < 6.14

Tiki Software Community Association/Wiki CMS Groupware < 9.10 LTS

Published Jul 15, 2025

Tracked Since Feb 18, 2026