CVE-2025-32461

wikiplugin_includetpl in lib/wiki-plugins/wikiplugin_includetpl.php in Tiki before 28.3 mishandles input to an eval. The fixed versions are 21.12, 24.8, 27.2, and 28.3.

CVSS v3 9.9 CRITICAL

9.9^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.1 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://gitlab.com/tikiwiki/tiki/-/commit/406bea4f6c379a23903ecfd55e538d90fd669ab0
https://gitlab.com/tikiwiki/tiki/-/commit/801ed912390c2aa6caf12b7b953e200f5d4bc0b1
https://gitlab.com/tikiwiki/tiki/-/commit/9ffb4ab21bd86837370666ecd6afd868f3d7877a
https://gitlab.com/tikiwiki/tiki/-/commit/be8dc1aa220fbceb07a7a5dc36416243afccd358
https://gitlab.com/tikiwiki/tiki/-/commit/f3f36c1ac702479209acfcaec5789d2fd1f996bc
https://tiki.org/article517
https://tiki.org/article518
http://seclists.org/fulldisclosure/2025/Jul/11

Configurations

No configuration.

History

03 Nov 2025, 20:18

Type	Values Removed	Values Added
References		() http://seclists.org/fulldisclosure/2025/Jul/11 -

Information

Published : 2025-04-09 02:15

Updated : 2025-11-03 20:18

NVD link : CVE-2025-32461

Mitre link : CVE-2025-32461

CVE.ORG link : CVE-2025-32461

JSON object : View

Products Affected

No product.

CWE

CWE-1336

Improper Neutralization of Special Elements Used in a Template Engine

9.9 /10