Description
An unauthenticated arbitrary file upload vulnerability exists in Tiki Wiki CMS Groupware version 15.1 and earlier via the ELFinder component's default connector (connector.minimal.php), which allows remote attackers to upload and execute malicious PHP scripts in the context of the web server. The vulnerable component does not enforce file type validation, allowing attackers to craft a POST request to upload executable PHP payloads through the ELFinder interface exposed at /vendor_extra/elfinder/.
Published: 2025-07-15
Score: 9.3 Critical
EPSS: 73.7% High
KEV: No
Impact: Remote Code Execution via Unauthenticated File Upload
Action: Immediate Patch
AI Analysis

Impact

An unauthenticated arbitrary file upload flaw exists in the ELFinder component of Tiki Wiki CMS Groupware version 15.1 and earlier. The bolt‑on’s default connector does not enforce file type validation, which allows attackers to upload malicious PHP scripts through its /vendor_extra/elfinder/ interface. Once uploaded, the scripts execute in the context of the web server, giving the attacker full command execution privileges. The weakness is rooted in improper input validation (CWE‑20), missing authentication for the upload endpoint (CWE‑306), and lack of file type restriction (CWE‑434).

Affected Systems

Tiki Wiki CMS Groupware maintained by the Tiki Software Community Association is impacted when running version 15.1 or any earlier release, including the 12.9 series and older builds referenced by the CPE set. Users of these releases that expose the ELFinder connector at the /vendor_extra/elfinder/ path are vulnerable.

Risk and Exploitability

The reported CVSS score of 9.3 reflects the high severity, and the EPSS score of 74% indicates a high likelihood of exploitation in the wild. The flaw is not listed in CISA’s KEV catalog at this time. Based on the description, the likely attack vector is an unauthenticated HTTP POST request to the ELFinder upload endpoint, enabling attackers to place and run PHP files on the web server without needing credentials.

Generated by OpenCVE AI on April 28, 2026 at 11:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Tiki Wiki to version 15.2 or later or apply the security patch released by Tiki Software.
  • If the ELFinder connector is not required for your deployment, disable or remove it so that the upload interface is no longer exposed.
  • Configure the web server and PHP to prevent execution of uploaded files by appropriately setting file permissions or disabling PHP execution in the upload directory.

Generated by OpenCVE AI on April 28, 2026 at 11:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-21425 An unauthenticated arbitrary file upload vulnerability exists in Tiki Wiki CMS Groupware version 15.1 and earlier via the ELFinder component's default connector (connector.minimal.php), which allows remote attackers to upload and execute malicious PHP scripts in the context of the web server. The vulnerable component does not enforce file type validation, allowing attackers to craft a POST request to upload executable PHP payloads through the ELFinder interface exposed at /vendor_extra/elfinder/.
History

Fri, 28 Nov 2025 16:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:tiki:tikiwiki_cms\/groupware:12.9:*:*:*:*:*:*:*

Fri, 03 Oct 2025 00:45:00 +0000

Type Values Removed Values Added
First Time appeared Tiki
Tiki tikiwiki Cms\/groupware
CPEs cpe:2.3:a:tiki:tikiwiki_cms\/groupware:*:*:*:*:*:*:*:*
Vendors & Products Tiki
Tiki tikiwiki Cms\/groupware
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 16 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00176}

Tue, 15 Jul 2025 14:30:00 +0000

Type Values Removed Values Added
References

Tue, 15 Jul 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 15 Jul 2025 14:00:00 +0000

Type Values Removed Values Added
References

Tue, 15 Jul 2025 13:15:00 +0000

Type Values Removed Values Added
Description An unauthenticated arbitrary file upload vulnerability exists in Tiki Wiki CMS Groupware version 15.1 and earlier via the ELFinder component's default connector (connector.minimal.php), which allows remote attackers to upload and execute malicious PHP scripts in the context of the web server. The vulnerable component does not enforce file type validation, allowing attackers to craft a POST request to upload executable PHP payloads through the ELFinder interface exposed at /vendor_extra/elfinder/.
Title Tiki Wiki <= 15.1 ELFinder Unauthenticated File Upload RCE
Weaknesses CWE-20
CWE-306
CWE-434
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Tiki Tikiwiki Cms\/groupware
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-07T14:09:37.876Z

Reserved: 2025-04-15T19:15:22.560Z

Link: CVE-2025-34111

cve-icon Vulnrichment

Updated: 2025-07-15T13:30:33.150Z

cve-icon NVD

Status : Analyzed

Published: 2025-07-15T13:15:30.980

Modified: 2025-10-03T00:42:13.970

Link: CVE-2025-34111

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T11:15:26Z

Weaknesses