CVE-2025-34111
Tiki Wiki <= 15.1 ELFinder Unauthenticated File Upload RCE
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
An unauthenticated arbitrary file upload vulnerability exists in Tiki Wiki CMS Groupware version 15.1 and earlier via the ELFinder component's default connector (connector.minimal.php), which allows remote attackers to upload and execute malicious PHP scripts in the context of the web server. The vulnerable component does not enforce file type validation, allowing attackers to craft a POST request to upload executable PHP payloads through the ELFinder interface exposed at /vendor_extra/elfinder/.
| CWE | CWE-434 CWE-306 CWE-20 |
| Vendor | tiki software community association |
| Product | wiki cms groupware |
| Published | Jul 15, 2025 |
| Last Updated | Apr 7, 2026 |
Stay Ahead of the Next One
Get instant alerts for tiki software community association wiki cms groupware
Be the first to know when new unknown vulnerabilities affecting tiki software community association wiki cms groupware are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
Tiki Software Community Association / Wiki CMS Groupware
* โค 15.1
References
tiki.org: https://tiki.org/article434-Security-update-Tiki-15-2-Tiki-14-4-and-Tiki-12-9-released exploit-db.com: https://www.exploit-db.com/exploits/40091 raw.githubusercontent.com: https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/unix/webapp/tikiwiki_upload_exec.rb vulncheck.com: https://www.vulncheck.com/advisories/tiki-wiki-el-finder-unauthenticated-file-upload-rce
Credits
Mehmet Ince