Description
A Reflected Cross-Site Scripting (XSS) vulnerability exists in the POST request data zipPath of tiki-admin_system.php in Tiki version 21.2. This vulnerability allows attackers to execute arbitrary JavaScript code via a crafted payload, leading to potential access to sensitive information or unauthorized actions.
Published: 2026-03-23
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Client-side Cross‑Site Scripting
Action: Patch
AI Analysis

Impact

A reflected XSS flaw is present in the zipPath POST parameter of tiki-admin_system.php, enabling an attacker to inject and execute arbitrary JavaScript when a form is submitted. The malicious code runs within the victim’s browser, allowing actions such as session hijacking or credential theft. This weakness is a classic input validation issue where output is not properly sanitized or encoded.

Affected Systems

The vulnerability applies to Tiki CMS version 21.2. Site administrators should verify that their installation matches this version and, if so, update to the latest 21.x LTS release that addresses the XSS problem. It is not related to any other documented product versions.

Risk and Exploitability

The flaw carries a moderate severity rating with an overall score of 5.4, indicating a non‑critical but meaningful risk. The likelihood of exploitation is very low—under 1%—and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Attackers would need to deliver a crafted POST request to tiki-admin_system.php, which requires the victim to load or submit a form containing malicious data. Because the issue is client‑side, the damage is limited to the victim’s browser session, but any compromised user could unintentionally expose sensitive information.

Generated by OpenCVE AI on April 2, 2026 at 22:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official security update released by Tiki for the 21.x LTS series to remove the reflected XSS flaw.

Generated by OpenCVE AI on April 2, 2026 at 22:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
Title Reflected XSS via zipPath in Tiki Admin System

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:tiki:tiki:*:*:*:*:*:*:*:*

Wed, 25 Mar 2026 15:00:00 +0000

Type Values Removed Values Added
Title Reflected XSS via zipPath in Tiki Admin System

Tue, 24 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 24 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Tiki
Tiki tiki
Vendors & Products Tiki
Tiki tiki

Mon, 23 Mar 2026 19:45:00 +0000

Type Values Removed Values Added
Description A Reflected Cross-Site Scripting (XSS) vulnerability exists in the POST request data zipPath of tiki-admin_system.php in Tiki version 21.2. This vulnerability allows attackers to execute arbitrary JavaScript code via a crafted payload, leading to potential access to sensitive information or unauthorized actions.
References

Subscriptions

Tiki Tiki
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-03-24T15:14:16.483Z

Reserved: 2024-09-12T00:00:00.000Z

Link: CVE-2024-46879

cve-icon Vulnrichment

Updated: 2026-03-24T15:11:08.292Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-23T20:16:22.530

Modified: 2026-04-02T20:11:38.260

Link: CVE-2024-46879

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T09:39:10Z

Weaknesses