CVE-2025-34113
Tiki Wiki CMS Authenticated Command Injection in Calendar Module
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
An authenticated command injection vulnerability exists in Tiki Wiki CMS versions ≤14.1, ≤12.4 LTS, ≤9.10 LTS, and ≤6.14 via the `viewmode` GET parameter in `tiki-calendar.php`. When the calendar module is enabled and an authenticated user has permission to access it, an attacker can inject and execute arbitrary PHP code. Successful exploitation leads to remote code execution in the context of the web server user.
| CWE | CWE-306 CWE-20 CWE-78 |
| Vendor | tiki software community association |
| Product | wiki cms groupware |
| Published | Jul 15, 2025 |
| Last Updated | Apr 7, 2026 |
Stay Ahead of the Next One
Get instant alerts for tiki software community association wiki cms groupware
Be the first to know when new unknown vulnerabilities affecting tiki software community association wiki cms groupware are published — delivered to Slack, Telegram or Discord.
Get Free Alerts →
Free · No credit card · 60 sec setup
Affected Versions
Tiki Software Community Association / Wiki CMS Groupware
* ≤ 14.1 * ≤ 12.4 LTS * ≤ 9.10 LTS * ≤ 6.14
References
tiki.org: https://tiki.org/article414-Important-Security-Fix-for-all-versions-of-Tiki exploit-db.com: https://www.exploit-db.com/exploits/39965 raw.githubusercontent.com: https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/linux/http/tiki_calendar_exec.rb acunetix.com: https://www.acunetix.com/vulnerabilities/web/tiki-wiki-cms-remote-code-execution-via-calendar-module/ vulncheck.com: https://www.vulncheck.com/advisories/tiki-wiki-cms-authenticated-command-injection-in-calendar-module
Credits
Dany Ouellet