VYPR
Vendor

Tiki

In Māori mythology, Tiki is the first man created by either Tūmatauenga or Tāne. He found the first woman, Marikoriko, in a pond; she seduced him, and he became the father of Hine-kau-ataata. By extension, a tiki is a large or small wooden, pounamu or other stone carving in humanoid form, although this is a somewhat archaic usage in the Māori language, where a tiki is usually a hei-tiki, a pendant worn around the neck. Hei-tiki are often considered taonga, especially if they are older and have been passed down throughout multiple generations.

Products
3
CVEs
89
Across products
128
Status
Private

Products

3

Recent CVEs

89
View all 89 CVEs →
  • CVE-2012-0911CriJul 12, 2012
    risk 0.72cvss 9.8epss 0.63

    TikiWiki CMS/Groupware before 6.7 LTS and before 8.4 allows remote attackers to execute arbitrary PHP code via a crafted serialized object in the (1) cookieName to lib/banners/bannerlib.php; (2) printpages or (3) printstructures parameter to (a) tiki-print_multi_pages.php or (b)…

  • CVE-2025-34113HigJul 15, 2025
    risk 0.65cvss epss 0.02

    An authenticated command injection vulnerability exists in Tiki Wiki CMS versions ≤14.1, ≤12.4 LTS, ≤9.10 LTS, and ≤6.14 via the `viewmode` GET parameter in `tiki-calendar.php`. When the calendar module is enabled and an authenticated user has permission to access it, an…

  • CVE-2025-32461CriApr 9, 2025
    risk 0.57cvss 9.9epss 0.01

    wikiplugin_includetpl in lib/wiki-plugins/wikiplugin_includetpl.php in Tiki before 28.3 mishandles input to an eval. The fixed versions are 21.12, 24.8, 27.2, and 28.3.

  • CVE-2018-7304HigFeb 21, 2018
    risk 0.57cvss 8.8epss 0.01

    Tiki 17.1 does not validate user input for special characters; consequently, a CSV Injection attack can open a CMD.EXE or Calculator window on the victim machine to perform malicious activity, as demonstrated by an "=cmd|' /C calc'!A0" payload during User Creation.

  • CVE-2017-14925HigSep 30, 2017
    risk 0.52cvss 8.0epss 0.01

    Cross-Site Request Forgery (CSRF) vulnerability via IMG element in Tiki before 16.3, 17.x before 17.1, 12 LTS before 12.12 LTS, and 15 LTS before 15.5 LTS allows an authenticated user to edit global permissions if an administrator opens a wiki page with an IMG element, related…

  • CVE-2017-14924HigSep 30, 2017
    risk 0.52cvss 8.0epss 0.01

    Cross-Site Request Forgery (CSRF) vulnerability via IMG element in Tiki before 16.3, 17.x before 17.1, 12 LTS before 12.12 LTS, and 15 LTS before 15.5 LTS allows an authenticated user to gain administrator privileges if an administrator opens a wiki page with an IMG element,…

  • CVE-2016-10143HigJan 20, 2017
    risk 0.49cvss 7.5epss 0.02

    A vulnerability in Tiki Wiki CMS 15.2 could allow a remote attacker to read arbitrary files on a targeted system via a crafted pathname in a banner URL field.

  • CVE-2017-9145MedJun 26, 2017
    risk 0.40cvss 6.1epss 0.01

    TikiFilter.php in Tiki Wiki CMS Groupware 12.x through 16.x does not properly validate the imgsize or lang parameter to prevent XSS.

  • CVE-2017-9305MedMay 31, 2017
    risk 0.40cvss 6.1epss 0.01

    lib/core/TikiFilter/PreventXss.php in Tiki Wiki CMS Groupware 16.2 allows remote attackers to bypass the XSS filter via padded zero characters, as demonstrated by an attack on tiki-batch_send_newsletter.php.

  • CVE-2016-9889MedDec 23, 2016
    risk 0.40cvss 6.1epss 0.01

    Some forms with the parameter geo_zoomlevel_to_found_location in Tiki Wiki CMS 12.x before 12.10 LTS, 15.x before 15.3 LTS, and 16.x before 16.1 don't have the input sanitized, related to tiki-setup.php and article_image.php. The impact is XSS.

  • CVE-2024-46879MedMar 23, 2026
    risk 0.35cvss 5.4epss 0.00

    A Reflected Cross-Site Scripting (XSS) vulnerability exists in the POST request data zipPath of tiki-admin_system.php in Tiki version 21.2. This vulnerability allows attackers to execute arbitrary JavaScript code via a crafted payload, leading to potential access to sensitive…

  • CVE-2024-46878MedMar 23, 2026
    risk 0.35cvss 5.4epss 0.00

    A Cross-Site Scripting (XSS) vulnerability exists in the page parameter of tiki-editpage.php in Tiki version 26.3 and earlier. This vulnerability allows attackers to execute arbitrary JavaScript code via a crafted payload, leading to potential access to sensitive information or…

  • CVE-2018-14850MedAug 13, 2018
    risk 0.35cvss 5.4epss 0.01

    Stored XSS vulnerabilities in Tiki before 18.2, 15.7 and 12.14 allow an authenticated user injecting JavaScript to gain administrator privileges if an administrator opens a wiki page and moves the mouse pointer over a modified link or thumb image.

  • CVE-2018-14849MedAug 13, 2018
    risk 0.35cvss 5.4epss 0.01

    Tiki before 18.2, 15.7 and 12.14 has XSS via link attributes, related to lib/core/WikiParser/OutputLink.php and lib/parser/parserlib.php.

  • CVE-2018-7290MedMar 9, 2018
    risk 0.35cvss 5.4epss 0.01

    Cross Site Scripting (XSS) exists in Tiki before 12.13, 15.6, 17.2, and 18.1.

  • CVE-2018-7303MedFeb 21, 2018
    risk 0.35cvss 5.4epss 0.01

    The Calendar component in Tiki 17.1 allows HTML injection.

  • CVE-2018-7188MedFeb 16, 2018
    risk 0.35cvss 5.4epss 0.01

    An XSS vulnerability (via an SVG image) in Tiki before 18 allows an authenticated user to gain administrator privileges if an administrator opens a wiki page with a malicious SVG image, related to lib/filegals/filegallib.php.

  • CVE-2025-34111Jul 15, 2025
    risk 0.10cvss epss 0.02

    An unauthenticated arbitrary file upload vulnerability exists in Tiki Wiki CMS Groupware version 15.1 and earlier via the ELFinder component's default connector (connector.minimal.php), which allows remote attackers to upload and execute malicious PHP scripts in the context of…

  • CVE-2007-5423Oct 12, 2007
    risk 0.09cvss epss 0.77

    tiki-graph_formula.php in TikiWiki 1.9.8 allows remote attackers to execute arbitrary code via PHP sequences in the f array parameter, which are processed by create_function.

  • CVE-2005-1921Jul 5, 2005
    risk 0.09cvss epss 0.79

    Eval injection vulnerability in PEAR XML_RPC 1.3.0 and earlier (aka XML-RPC or xmlrpc) and PHPXMLRPC (aka XML-RPC For PHP or php-xmlrpc) 1.1 and earlier, as used in products such as (1) WordPress, (2) Serendipity, (3) Drupal, (4) egroupware, (5) MailWatch, (6) TikiWiki, (7)…