{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2024-46878", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-03-24T15:14:22.267Z", "dateReserved": "2024-09-12T00:00:00.000Z", "datePublished": "2026-03-23T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-23T19:21:26.723Z"}, "descriptions": [{"lang": "en", "value": "A Cross-Site Scripting (XSS) vulnerability exists in the page parameter of tiki-editpage.php in Tiki version 26.3 and earlier. This vulnerability allows attackers to execute arbitrary JavaScript code via a crafted payload, leading to potential access to sensitive information or unauthorized actions."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://tiki.org/tiki-newsletters.php?nlId=8&info=1"}, {"url": "https://github.com/ColdFusionX/CVE-2024-46878-TikiCMS-XSS"}, {"url": "https://tiki.org/article514-New-Security-Updates-Released-for-Tiki-27-x-LTS-26-x-and-24-x-LTS-and-Upgrade-is-Strongly-Recommended"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-79", "lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "references": [{"url": "https://github.com/ColdFusionX/CVE-2024-46878-TikiCMS-XSS", "tags": ["exploit"]}], "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-24T15:06:47.773794Z", "id": "CVE-2024-46878", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T15:14:22.267Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2024-46878", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-03-24T15:14:22.267Z", "dateReserved": "2024-09-12T00:00:00.000Z", "datePublished": "2026-03-23T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-23T19:21:26.723Z"}, "descriptions": [{"lang": "en", "value": "A Cross-Site Scripting (XSS) vulnerability exists in the page parameter of tiki-editpage.php in Tiki version 26.3 and earlier. This vulnerability allows attackers to execute arbitrary JavaScript code via a crafted payload, leading to potential access to sensitive information or unauthorized actions."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://tiki.org/tiki-newsletters.php?nlId=8&info=1"}, {"url": "https://github.com/ColdFusionX/CVE-2024-46878-TikiCMS-XSS"}, {"url": "https://tiki.org/article514-New-Security-Updates-Released-for-Tiki-27-x-LTS-26-x-and-24-x-LTS-and-Upgrade-is-Strongly-Recommended"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2024-46878", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-24T15:06:47.773794Z"}}}], "references": [{"url": "https://github.com/ColdFusionX/CVE-2024-46878-TikiCMS-XSS", "tags": ["exploit"]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T15:07:12.782Z"}}]}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:tiki:tiki:*:*:*:*:*:*:*:*", "matchCriteriaId": "827E97B6-4AE3-4807-8A3D-DDB9039B0ECE", "versionEndExcluding": "27.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A Cross-Site Scripting (XSS) vulnerability exists in the page parameter of tiki-editpage.php in Tiki version 26.3 and earlier. This vulnerability allows attackers to execute arbitrary JavaScript code via a crafted payload, leading to potential access to sensitive information or unauthorized actions."}, {"lang": "es", "value": "Una vulnerabilidad de cross-site scripting (XSS) existe en el par\u00e1metro 'page' de tiki-editpage.PHP en Tiki versi\u00f3n 26.3 y anteriores. Esta vulnerabilidad permite a los atacantes ejecutar c\u00f3digo JavaScript arbitrario mediante una carga \u00fatil manipulada, lo que puede llevar a un acceso potencial a informaci\u00f3n sensible o acciones no autorizadas."}], "id": "CVE-2024-46878", "lastModified": "2026-04-02T20:11:23.367", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-23T20:16:22.383", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/ColdFusionX/CVE-2024-46878-TikiCMS-XSS"}, {"source": "cve@mitre.org", "tags": ["Release Notes"], "url": "https://tiki.org/article514-New-Security-Updates-Released-for-Tiki-27-x-LTS-26-x-and-24-x-LTS-and-Upgrade-is-Strongly-Recommended"}, {"source": "cve@mitre.org", "tags": ["Product"], "url": "https://tiki.org/tiki-newsletters.php?nlId=8&info=1"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/ColdFusionX/CVE-2024-46878-TikiCMS-XSS"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,26.3]"}}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "tiki", "vendor": "tiki"}], "analysis": {"en": {"generated_at": "2026-04-02T22:46:26.323285+00:00", "value": {"mitigation_remediation": ["Upgrade Tiki CMS to version 27.x or later, which removes the XSS vulnerability.", "Restrict access to tiki\u2011editpage.php so that only trusted, authenticated users can invoke it.", "Validate and sanitize all input parameters before use to guard against similar injection flaws."], "summary": {"action": "Patch", "impact": "Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "The issue impacts all Tiki CMS releases 26.3 and earlier. Any installation running those versions is vulnerable until the security update for the 27.x or newer LTS releases is applied.", "description_and_impact": "The vulnerability is a Cross\u2011Site Scripting flaw located in the page parameter of tiki\u2011editpage.php. It allows an attacker to inject and execute arbitrary JavaScript in the browser of any user who views the affected page, potentially enabling theft of session data, impersonation, or execution of unauthorized actions on the victim's behalf. This flaw corresponds to CWE\u201179 and can compromise the confidentiality and integrity of user information.", "risk_and_exploitability": "With a CVSS score of 5.4 the vulnerability is considered moderate in severity. The EPSS score is below 1%, indicating that exploitation is unlikely to be widely used, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. It is inferred that the attack vector would be through a crafted URL or form submission targeting the page parameter, potentially affecting both authenticated and unauthenticated users depending on configuration. No public workaround is documented, so the only viable mitigation is to remove the vulnerable code by upgrading the CMS."}}}}, "created": "2026-03-24T10:34:59.513027+00:00", "updated": "2026-04-03T09:39:11.855846+00:00", "vendors": ["tiki", "tiki$PRODUCT$tiki"]}