CVE-2024-46878

low-risk

Published 2026-03-23

A Cross-Site Scripting (XSS) vulnerability exists in the page parameter of tiki-editpage.php in Tiki version 26.3 and earlier. This vulnerability allows attackers to execute arbitrary JavaScript code via a crafted payload, leading to potential access to sensitive information or unauthorized actions.

Do I need to act?

0.03% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 5.4/10 Medium

NETWORK / LOW complexity

Affected Products (1)

Tiki

Affected Vendors

Tiki

References (4)

Exploit https://github.com/ColdFusionX/CVE-2024-46878-TikiCMS-XSS

Release Notes https://tiki.org/article514-New-Security-Updates-Released-for-Tiki-27-x-LTS-26-x...

Product https://tiki.org/tiki-newsletters.php?nlId=8&info=1

Exploit https://github.com/ColdFusionX/CVE-2024-46878-TikiCMS-XSS

/ 100

low-risk

Severity 21/34 · High

Exploitability 0/34 · Minimal

Exposure 5/34 · Minimal