CVE-2025-34111

Name of the Vulnerable Software and Affected Versions Tiki Wiki CMS Groupware versions 15.1 and earlier

Description An unauthenticated arbitrary file upload issue exists in the Tiki Wiki CMS Groupware software. The vulnerability is located within the ELFinder component’s default connector (connector.minimal.php). It allows remote attackers to upload and execute malicious PHP scripts in the context of the web server due to a lack of file type validation. Attackers can craft a POST request to upload executable PHP payloads through the ELFinder interface exposed at /vendor extra/elfinder/.

Recommendations Versions prior to 15.1 are affected. At the moment, there is no information about a newer version that contains a fix for this vulnerability.