Description
A Cross-Site Scripting (XSS) vulnerability exists in the page parameter of tiki-editpage.php in Tiki version 26.3 and earlier. This vulnerability allows attackers to execute arbitrary JavaScript code via a crafted payload, leading to potential access to sensitive information or unauthorized actions.
Published: 2026-03-23
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting
Action: Patch
AI Analysis

Impact

The vulnerability is a Cross‑Site Scripting flaw located in the page parameter of tiki‑editpage.php. It allows an attacker to inject and execute arbitrary JavaScript in the browser of any user who views the affected page, potentially enabling theft of session data, impersonation, or execution of unauthorized actions on the victim's behalf. This flaw corresponds to CWE‑79 and can compromise the confidentiality and integrity of user information.

Affected Systems

The issue impacts all Tiki CMS releases 26.3 and earlier. Any installation running those versions is vulnerable until the security update for the 27.x or newer LTS releases is applied.

Risk and Exploitability

With a CVSS score of 5.4 the vulnerability is considered moderate in severity. The EPSS score is below 1%, indicating that exploitation is unlikely to be widely used, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. It is inferred that the attack vector would be through a crafted URL or form submission targeting the page parameter, potentially affecting both authenticated and unauthenticated users depending on configuration. No public workaround is documented, so the only viable mitigation is to remove the vulnerable code by upgrading the CMS.

Generated by OpenCVE AI on April 2, 2026 at 22:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Tiki CMS to version 27.x or later, which removes the XSS vulnerability.
  • Restrict access to tiki‑editpage.php so that only trusted, authenticated users can invoke it.
  • Validate and sanitize all input parameters before use to guard against similar injection flaws.

Generated by OpenCVE AI on April 2, 2026 at 22:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
Title Cross‑Site Scripting in Tiki Edit Page (v26.3 and earlier)

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:tiki:tiki:*:*:*:*:*:*:*:*

Wed, 25 Mar 2026 15:00:00 +0000

Type Values Removed Values Added
Title Cross‑Site Scripting in Tiki Edit Page (v26.3 and earlier)

Tue, 24 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 24 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Tiki
Tiki tiki
Vendors & Products Tiki
Tiki tiki

Mon, 23 Mar 2026 19:45:00 +0000

Type Values Removed Values Added
Description A Cross-Site Scripting (XSS) vulnerability exists in the page parameter of tiki-editpage.php in Tiki version 26.3 and earlier. This vulnerability allows attackers to execute arbitrary JavaScript code via a crafted payload, leading to potential access to sensitive information or unauthorized actions.
References

Subscriptions

Tiki Tiki
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-03-24T15:14:22.267Z

Reserved: 2024-09-12T00:00:00.000Z

Link: CVE-2024-46878

cve-icon Vulnrichment

Updated: 2026-03-24T15:07:12.782Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-23T20:16:22.383

Modified: 2026-04-02T20:11:23.367

Link: CVE-2024-46878

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T09:39:11Z

Weaknesses