Auth bypass in Tiki Software Community Association Wiki Cms Groupware
CVE-2025-34111
An unauthenticated arbitrary file upload vulnerability exists in Tiki Wiki CMS Groupware version 15.1 and earlier via the ELFinder component's default connector (connector.minimal.php), which allows remote attackers to upload and execute m…
Vulnerability class: Unrestricted File Upload
EPSS: 0.839 (99.3th percentile) — read the EPSS interpretation.
Affected products
Weakness classification (CWE)
Public proof-of-concept exploits
References
- tiki.org/article434-Security-update-Tiki-15-2-Tiki-14-4-and-Tiki-12-9-released (vendor-advisory, patch)
- www.exploit-db.com/exploits/40091 (exploit)
- raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/u… (exploit)
- www.vulncheck.com/advisories/tiki-wiki-el-finder-unauthenticated-file-upload-rce (third-party-advisory)
Frequently asked questions
- What is CVE-2025-34111?
- CVE-2025-34111 is a vulnerability in Tiki Software Community Association Wiki Cms Groupware, classified under Unrestricted Upload of File with Dangerous Type. Published 2025-07-15.
- Is CVE-2025-34111 known to be exploited?
- 1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.