Known Vulnerabilities for products from Tiki

Listed below are 20 of the newest known vulnerabilities associated with the vendor "Tiki".

These CVEs are retrieved based on exact matches on listed vendor information (CPE data) as well as a keyword search to ensure the newest vulnerabilities with no officially listed vendor information are still displayed.

Data on known vulnerable products is also displayed based on information from known CPEs, each product links to its respective vulnerability page.

Known Vulnerabilities

CVE Shortened Description Severity Publish Date Last Modified
CVE-2025-23986 json Not Provided 2025-05-19 2026-04-28
CVE-2024-46879 json A Reflected Cross-Site Scripting (XSS) vulnerability exists in the POST request data zipPath of tiki-admin_system.php in Tiki... Not Provided 2026-03-23 2026-04-02
CVE-2024-46878 json A Cross-Site Scripting (XSS) vulnerability exists in the page parameter of tiki-editpage.php in Tiki version 26.3 and earlier... Not Provided 2026-03-23 2026-04-02
CVE-2023-22853 json Tiki before 24.1, when feature_create_webhelp is enabled, allows lib/structures/structlib.php PHP Object Injection because of... 8.8 - HIGH 2023-01-14 2023-01-23
CVE-2023-22852 json Tiki through 25.0 allows CSRF attacks that are related to tiki-importer.php and tiki-import_sheet.php. 6.5 - MEDIUM 2023-01-14 2023-01-23
CVE-2023-22851 json Tiki before 24.2 allows lib/importer/tikiimporter_blog_wordpress.php PHP Object Injection by an admin because of an unseriali... 7.2 - HIGH 2023-01-14 2023-01-25
CVE-2023-22850 json Tiki before 24.1, when the Spreadsheets feature is enabled, allows lib/sheet/grid.php PHP Object Injection because of an unse... 8.8 - HIGH 2023-01-14 2023-01-25
CVE-2021-36551 json TikiWiki v21.4 was discovered to contain a cross-site scripting (XSS) vulnerability in the component tiki-calendar.php. This ... 5.4 - MEDIUM 2021-10-28 2021-11-02
CVE-2021-36550 json TikiWiki v21.4 was discovered to contain a cross-site scripting (XSS) vulnerability in the component tiki-browse_categories.p... 5.4 - MEDIUM 2021-10-28 2021-11-02
CVE-2020-29254 json TikiWiki 21.2 allows templates to be edited without CSRF protection. This could allow an unauthenticated, remote attacker to ... 8.8 - HIGH 2020-12-11 2020-12-14
CVE-2020-16131 json Tiki before 21.2 allows XSS because [\s\/"\'] is not properly considered in lib/core/TikiFilter/PreventXss.php. 6.1 - MEDIUM 2020-08-03 2020-08-04
CVE-2020-15906 json tiki-login.php in Tiki before 21.2 sets the admin password to a blank value after 50 invalid login attempts. 9.8 - CRITICAL 2020-10-22 2020-11-03
CVE-2020-8966 json There is an Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in php webpages of Ti... 6.1 - MEDIUM 2020-04-01 2020-04-03
CVE-2019-15314 json tiki/tiki-upload_file.php in Tiki 18.4 allows remote attackers to upload JavaScript code that is executed upon visiting a tik... 5.4 - MEDIUM 2019-08-22 2019-08-28
CVE-2018-20719 json In Tiki before 17.2, the user task component is vulnerable to a SQL Injection via the tiki-user_tasks.php show_history parame... 8.8 - HIGH 2019-01-15 2019-01-18
CVE-2018-14850 json Stored XSS vulnerabilities in Tiki before 18.2, 15.7 and 12.14 allow an authenticated user injecting JavaScript to gain admin... 5.4 - MEDIUM 2018-08-13 2018-10-10
CVE-2018-14849 json Tiki before 18.2, 15.7 and 12.14 has XSS via link attributes, related to lib/core/WikiParser/OutputLink.php and lib/parser/pa... 5.4 - MEDIUM 2018-08-13 2018-10-10
CVE-2018-7304 json Tiki 17.1 does not validate user input for special characters; consequently, a CSV Injection attack can open a CMD.EXE or Cal... 8.8 - HIGH 2018-02-21 2020-08-24
CVE-2018-7303 json The Calendar component in Tiki 17.1 allows HTML injection. 5.4 - MEDIUM 2018-02-21 2018-03-13
CVE-2018-7302 json Tiki 17.1 allows upload of a .PNG file that actually has SVG content, leading to XSS. 5.4 - MEDIUM 2018-02-21 2018-03-12
Results limited to 20 most recent vulnerabilities

Known software with vulnerabilities from Tiki

Type Vendor Product Version
ApplicationTikiTiki-
ApplicationTikiTikiwiki Cms/groupware1.6.1
© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

Free CVE JSON API cve.report/api

CVE.report and Source URL Uptime Status status.cve.report