CRITICAL🇵🇱 Wersja polska

CVE-2025-32461

CVSS 9.9v3.1pub. 2025-04-09upd. 2026-04-15

wikiplugin_includetpl in lib/wiki-plugins/wikiplugin_includetpl.php in Tiki before 28.3 mishandles input to an eval. The fixed versions are 21.12, 24.8, 27.2, and 28.3.

🤖 AI Analysis
How it works

The wikiplugin_includetpl function in the file lib/wiki-plugins/wikiplugin_includetpl.php does not properly validate input data before passing it to the eval() call in PHP. The vulnerability classified as CWE-1336 (improper neutralization of special elements used in template engines) allows an attacker to inject malicious code, which will then be executed by the PHP interpreter. Due to the AV:N/PR:L vector, only basic user account access with network access is sufficient to carry out the attack.

Impact

An attacker can gain full control over the server, including reading and modifying data (C:H/I:H/A:H) and breaking out of the application scope to other systems in the network (S:C — scope change). Successful exploitation of the vulnerability leads to remote code execution (RCE) with potential for lateral movement in the infrastructure.

Mitigation & patch

Tiki should be updated as soon as possible to one of the patched versions: 21.12, 24.8, 27.2 or 28.3. Details of the patches are available in the references to commits in the Tiki project GitLab repository. Until the update is applied, it is recommended to restrict access to the instance exclusively to trusted users and consider disabling the wikiplugin_includetpl plugin.

Who is affected

Tiki Wiki CMS/Groupware in all versions earlier than 28.3. Fixed versions in branches: 21.x (from 21.12), 24.x (from 24.8), 27.x (from 27.2), and 28.x (from 28.3).

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References