CVE-2025-32461

Name of the Vulnerable Software and Affected Versions: Tiki versions prior to 28.3 Tiki versions prior to 21.12 Tiki versions prior to 24.8 Tiki versions prior to 27.2

Description: The issue concerns the wikiplugin includetpl in lib/wiki-plugins/wikiplugin includetpl.php in Tiki, which mishandles input to an eval. This can lead to remote code execution via template injection. The estimated number of potentially affected devices worldwide is not specified. There is no information about real-world incidents where this issue was exploited.

Recommendations: For Tiki versions prior to 28.3, update to version 28.3 or later. For Tiki versions prior to 21.12, update to version 21.12 or later. For Tiki versions prior to 24.8, update to version 24.8 or later. For Tiki versions prior to 27.2, update to version 27.2 or later. As a temporary workaround, consider disabling the eval function in the wikiplugin includetpl until a patch is available. Restrict access to the vulnerable module lib/wiki-plugins/wikiplugin includetpl.php to minimize the risk of exploitation. Avoid using the vulnerable wikiplugin includetpl in lib/wiki-plugins/wikiplugin includetpl.php until the issue is resolved.