CVE-2025-34113

An authenticated command injection vulnerability exists in Tiki Wiki CMS versions ≤14.1, ≤12.4 LTS, ≤9.10 LTS, and ≤6.14 via the `viewmode` GET parameter in `tiki-calendar.php`. When the calendar module is enabled and an authenticated user has permission to access it, an attacker can inject and execute arbitrary PHP code. Successful exploitation leads to remote code execution in the context of the web server user.

CVSS

No CVSS.

References

Link	Resource
https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/linux/http/tiki_calendar_exec.rb
https://tiki.org/article414-Important-Security-Fix-for-all-versions-of-Tiki
https://www.acunetix.com/vulnerabilities/web/tiki-wiki-cms-remote-code-execution-via-calendar-module/
https://www.exploit-db.com/exploits/39965
https://www.vulncheck.com/advisories/tiki-wiki-cms-authenticated-command-injection-in-calendar-module

Configurations

No configuration.

History

15 Apr 2026, 00:35

Type	Values Removed	Values Added
Summary		(es) Existe una vulnerabilidad de inyección de comandos autenticados en las versiones ?14.1, ?12.4 LTS, ?9.10 LTS y ?6.14 de Tiki Wiki CMS mediante el parámetro GET `viewmode` en `tiki-calendar.php`. Cuando el módulo de calendario está habilitado y un usuario autenticado tiene permiso para acceder a él, un atacante puede inyectar y ejecutar código PHP arbitrario. Una explotación exitosa conlleva la ejecución remota de código en el contexto del usuario del servidor web.

15 Jul 2025, 14:15

Type	Values Removed	Values Added
References	~~{'url': 'https://vulncheck/advisories/tiki-wiki-cms-authenticated-command-injection-in-calendar-module', 'source': 'disclosure@vulncheck.com'}~~	() https://www.vulncheck.com/advisories/tiki-wiki-cms-authenticated-command-injection-in-calendar-module -

15 Jul 2025, 13:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-07-15 13:15

Updated : 2026-04-15 00:35

NVD link : CVE-2025-34113

Mitre link : CVE-2025-34113

CVE.ORG link : CVE-2025-34113

JSON object : View

Products Affected

No product.

CWE

CWE-20

Improper Input Validation

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CWE-306

Missing Authentication for Critical Function

{"id": "CVE-2025-34113", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "disclosure@vulncheck.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.7, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-07-15T13:15:31.273", "references": [{"url": "https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/linux/http/tiki_calendar_exec.rb", "source": "disclosure@vulncheck.com"}, {"url": "https://tiki.org/article414-Important-Security-Fix-for-all-versions-of-Tiki", "source": "disclosure@vulncheck.com"}, {"url": "https://www.acunetix.com/vulnerabilities/web/tiki-wiki-cms-remote-code-execution-via-calendar-module/", "source": "disclosure@vulncheck.com"}, {"url": "https://www.exploit-db.com/exploits/39965", "source": "disclosure@vulncheck.com"}, {"url": "https://www.vulncheck.com/advisories/tiki-wiki-cms-authenticated-command-injection-in-calendar-module", "source": "disclosure@vulncheck.com"}], "vulnStatus": "Deferred", "weaknesses": [{"type": "Secondary", "source": "disclosure@vulncheck.com", "description": [{"lang": "en", "value": "CWE-20"}, {"lang": "en", "value": "CWE-78"}, {"lang": "en", "value": "CWE-306"}]}], "descriptions": [{"lang": "en", "value": "An authenticated command injection vulnerability exists in Tiki Wiki CMS versions \u226414.1, \u226412.4 LTS, \u22649.10 LTS, and \u22646.14 via the `viewmode` GET parameter in `tiki-calendar.php`. When the calendar module is enabled and an authenticated user has permission to access it, an attacker can inject and execute arbitrary PHP code. Successful exploitation leads to remote code execution in the context of the web server user."}, {"lang": "es", "value": "Existe una vulnerabilidad de inyecci\u00f3n de comandos autenticados en las versiones ?14.1, ?12.4 LTS, ?9.10 LTS y ?6.14 de Tiki Wiki CMS mediante el par\u00e1metro GET `viewmode` en `tiki-calendar.php`. Cuando el m\u00f3dulo de calendario est\u00e1 habilitado y un usuario autenticado tiene permiso para acceder a \u00e9l, un atacante puede inyectar y ejecutar c\u00f3digo PHP arbitrario. Una explotaci\u00f3n exitosa conlleva la ejecuci\u00f3n remota de c\u00f3digo en el contexto del usuario del servidor web."}], "lastModified": "2026-04-15T00:35:42.020", "sourceIdentifier": "disclosure@vulncheck.com"}