kimai 関連製品全体の CVE とセキュリティ脆弱性情報を集約し、CVSS、EPSS、公開日、脆弱性情報データを掲載しています。
公開された問題は vendor risk cross-site scripting、vendor risk csrf, and パス処理の欠陥 に関連することが多く、vendor surface software deployment and vendor surface production workloads の文脈で vendor impact session compromise and ファイル上書き などの暴露リスクを伴う場合があります。
掲載データは公開脆弱性情報とセキュリティ公告に基づき、過去の暴露面と修補優先度の評価に利用できます。
| CVE | 概要 | ソース | CVSS 最大値 | EPSS(%) | 公開 | 更新 |
|---|---|---|---|---|---|---|
| CVE-2026-44298 | Kimai is an open-source time tracking application. From version 2.32.0 to before version 2.56.0, users with the role System-Admin (ROLE_SYSTE_ADMIN) and the permission upload_invoice_template can upload PDF invoice templates, which can call pdfContext.setOption('associated_files', ...) inside the sandboxed Twig render. This is forwarded to mPDF's SetAssociatedFiles(), whose writer calls file_get_contents($entry['path']) during PDF output and embeds the bytes as a FlateDecode stream in the PDF. A | [email protected] | 4.1 | 0.05% | 2026-05-08 | 2026-05-08 |
| CVE-2026-42267 | Kimai is an open-source time tracking application. From version 2.27.0 to before version 2.54.0, any ROLE_USER can create a tag with a formula string as its name (e.g. =SUM(54+51)) via POST /api/tags and assign it to a timesheet. When an admin exports timesheets to XLSX, ArrayFormatter.formatValue() joins tag names with implode() and returns the result unchanged. OpenSpout promotes any =-prefixed string to a FormulaCell, writing <f>SUM(54+51)</f> into the XLSX archive. Excel evaluates the formul | [email protected] | 5.4 | 0.05% | 2026-05-08 | 2026-05-13 |
| CVE-2026-41498 | Kimai is an open-source time tracking application. Prior to version 2.54.0, the Team API endpoints use #[IsGranted('edit_team')] instead of #[IsGranted('edit', 'team')], causing Symfony TeamVoter to abstain from voting. This removes entity-level ownership checks on team operations, allowing any user with the edit_team permission to modify any team, not just teams they are authorized to manage. This issue has been patched in version 2.54.0. | [email protected] | 3.3 | 0.02% | 2026-05-08 | 2026-05-12 |
| CVE-2026-40486 | Kimai is an open-source time tracking application. In versions 2.52.0 and below, the User Preferences API endpoint (PATCH /api/users/{id}/preferences) applies submitted preference values without checking the isEnabled() flag on preference objects. Although the hourly_rate and internal_rate fields are correctly marked as disabled for users lacking the hourly-rate role permission, the API ignores this restriction and saves the values directly. Any authenticated user can modify their own billing ra | [email protected] | 4.3 | 0.04% | 2026-04-17 | 2026-04-27 |
| CVE-2026-40479 | Kimai is an open-source time tracking application. In versions 1.16.3 through 2.52.0, the escapeForHtml() function in KimaiEscape.js does not escape double quote or single quote characters. When a user's profile alias is inserted into an HTML attribute context via the team member form prototype and rendered through innerHTML, this incomplete escaping allows HTML attribute injection. An authenticated user with ROLE_USER privileges can store a malicious alias that executes JavaScript in the browse | [email protected] | 5.4 | 0.03% | 2026-04-17 | 2026-04-27 |
| CVE-2026-28685 | Kimai is a web-based multi-user time-tracking application. Prior to version 2.51.0, "GET /api/invoices/{id}" only checks the role-based view_invoice permission but does not verify the requesting user has access to the invoice's customer. Any user with ROLE_TEAMLEAD (which grants view_invoice) can read all invoices in the system, including those belonging to customers assigned to other teams. This issue has been patched in version 2.51.0. | [email protected] | 6.5 | 0.03% | 2026-03-06 | 2026-03-10 |
| CVE-2019-25317 | Kimai 2 contains a persistent cross-site scripting vulnerability that allows attackers to inject malicious scripts into timesheet descriptions. Attackers can insert SVG-based XSS payloads in the description field to execute arbitrary JavaScript when the page is loaded and viewed by other users. | [email protected] | 5.1 | 0.01% | 2026-02-11 | 2026-02-19 |
| CVE-2026-23626 | Kimai is a web-based multi-user time-tracking application. Prior to version 2.46.0, Kimai's export functionality uses a Twig sandbox with an overly permissive security policy (`DefaultPolicy`) that allows arbitrary method calls on objects available in the template context. An authenticated user with export permissions can deploy a malicious Twig template that extracts sensitive information including environment variables, all user password hashes, serialized session tokens, and CSRF tokens. Vers | [email protected] | 6.8 | 0.06% | 2026-01-18 | 2026-02-18 |
| CVE-2023-53957 | Kimai 1.30.10 contains a SameSite cookie vulnerability that allows attackers to steal user session cookies through malicious exploitation. Attackers can trick victims into executing a crafted PHP script that captures and writes session cookie information to a file, enabling potential session hijacking. | [email protected] | 8.5 | 0.12% | 2025-12-19 | 2026-02-19 |
| CVE-2024-4596 | A vulnerability was found in Kimai up to 2.15.0 and classified as problematic. Affected by this issue is some unknown functionality of the component Session Handler. The manipulation of the argument PHPSESSIONID leads to information disclosure. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. Upgrading to version 2.16.0 is able to address this issue. It is recommended to upgrade the affected component. VDB-263318 is the i | [email protected] | 3.7 | 0.26% | 2024-05-07 | 2025-10-10 |
| CVE-2024-29200 | Kimai is a web-based multi-user time-tracking application. The permission `view_other_timesheet` performs differently for the Kimai UI and the API, thus returning unexpected data through the API. When setting the `view_other_timesheet` permission to true, on the frontend, users can only see timesheet entries for teams they are a part of. When requesting all timesheets from the API, however, all timesheet entries are returned, regardless of whether the user shares team permissions or not. This vu | [email protected] | 6.8 | 0.28% | 2024-03-28 | 2025-10-10 |
| CVE-2023-46245 | Kimai is a web-based multi-user time-tracking application. Versions prior to 2.1.0 are vulnerable to a Server-Side Template Injection (SSTI) which can be escalated to Remote Code Execution (RCE). The vulnerability arises when a malicious user uploads a specially crafted Twig file, exploiting the software's PDF and HTML rendering functionalities. Version 2.1.0 enables security measures for custom Twig templates. | [email protected] | 7.2 | 2.48% | 2023-10-31 | 2024-11-21 |
| CVE-2020-19825 | Cross Site Scripting (XSS) vulnerability in kevinpapst kimai2 1.30.0 in /src/Twig/Runtime/MarkdownExtension.php, allows attackers to gain escalated privileges. | [email protected] | 9.6 | 0.99% | 2023-02-15 | 2025-03-19 |
| CVE-2021-43515 | CSV Injection (aka Excel Macro Injection or Formula Injection) exists in creating new timesheet in Kimai. By filling the Description field with malicious payload, it will be mistreated while exporting to a CSV file. | [email protected] | 7.8 | 0.48% | 2022-04-08 | 2024-11-21 |
| CVE-2021-4033 | kimai2 is vulnerable to Cross-Site Request Forgery (CSRF) | [email protected] | 6.5 | 0.12% | 2021-12-09 | 2024-11-21 |
| CVE-2021-3985 | kimai2 is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | [email protected] | 9.0 | 0.41% | 2021-12-01 | 2024-11-21 |
| CVE-2021-3963 | kimai2 is vulnerable to Cross-Site Request Forgery (CSRF) | [email protected] | 4.3 | 0.06% | 2021-11-19 | 2024-11-21 |
| CVE-2021-3957 | kimai2 is vulnerable to Cross-Site Request Forgery (CSRF) | [email protected] | 4.3 | 0.06% | 2021-11-19 | 2024-11-21 |
| CVE-2021-3976 | kimai2 is vulnerable to Cross-Site Request Forgery (CSRF) | [email protected] | 6.5 | 0.06% | 2021-11-19 | 2024-11-21 |
| CVE-2019-15481 | Kimai v2 before 1.1 has XSS via a timesheet description. | [email protected] | 6.1 | 0.22% | 2019-08-23 | 2024-11-21 |