CVE-2025-34113

Tiki Wiki CMS Authenticated Command Injection in Calendar Module

Description

An authenticated command injection vulnerability exists in Tiki Wiki CMS versions ≤14.1, ≤12.4 LTS, ≤9.10 LTS, and ≤6.14 via the `viewmode` GET parameter in `tiki-calendar.php`. When the calendar module is enabled and an authenticated user has permission to access it, an attacker can inject and execute arbitrary PHP code. Successful exploitation leads to remote code execution in the context of the web server user.

INFO

Published Date :

2025-07-15T13:09:34.329Z

Last Modified :

2026-04-07T14:09:39.387Z

Source :

VulnCheck

AFFECTED PRODUCTS

The following products are affected by CVE-2025-34113 vulnerability.

Vendors	Products
Tiki	Tikiwiki Cms\/groupware

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-34113.

URL	Resource
https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/linux/http/tiki_calendar_exec.rb
https://tiki.org/article414-Important-Security-Fix-for-all-versions-of-Tiki
https://www.acunetix.com/vulnerabilities/web/tiki-wiki-cms-remote-code-execution-via-calendar-module/
https://www.exploit-db.com/exploits/39965
https://www.vulncheck.com/advisories/tiki-wiki-cms-authenticated-command-injection-in-calendar-module

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.

Attack Vector

Attack Complexity

Attack Requirements

Privileges Required

User Interaction

VS Confidentiality

VS Integrity

VS Availability

SS Confidentiality

SS Integrity

SS Availability