Kimai Kimai
10 CVEs affecting Kimai Kimai. Latest disclosed: 2026-05-08. Critical: 1, High: 1.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2023-53957 | Critical | 9.8 | 2025-12-19 | Kimai 1.30.10 contains a SameSite cookie vulnerability that allows attackers to steal user session cookies through malicious exploitation. Attackers can trick… |
CVE-2023-46245 | High | 7.2 | 2023-10-31 | Kimai is a web-based multi-user time-tracking application. Versions prior to 2.1.0 are vulnerable to a Server-Side Template Injection (SSTI) which can be escal… |
CVE-2026-23626 | Medium | 6.8 | 2026-01-18 | Kimai is a web-based multi-user time-tracking application. Prior to version 2.46.0, Kimai's export functionality uses a Twig sandbox with an overly permissive… |
CVE-2024-29200 | Medium | 6.8 | 2024-03-28 | Kimai is a web-based multi-user time-tracking application. The permission `view_other_timesheet` performs differently for the Kimai UI and the API, thus return… |
CVE-2026-28685 | Medium | 6.5 | 2026-03-06 | Kimai is a web-based multi-user time-tracking application. Prior to version 2.51.0, "GET /api/invoices/{id}" only checks the role-based view_invoice permission… |
CVE-2026-42267 | Medium | 5.7 | 2026-05-08 | Kimai is an open-source time tracking application. From version 2.27.0 to before version 2.54.0, any ROLE_USER can create a tag with a formula string as its na… |
CVE-2026-40479 | Medium | 5.4 | 2026-04-17 | Kimai is an open-source time tracking application. In versions 1.16.3 through 2.52.0, the escapeForHtml() function in KimaiEscape.js does not escape double quo… |
CVE-2026-40486 | Medium | 4.3 | 2026-04-17 | Kimai is an open-source time tracking application. In versions 2.52.0 and below, the User Preferences API endpoint (PATCH /api/users/{id}/preferences) applies… |
CVE-2026-44298 | Medium | 4.1 | 2026-05-08 | Kimai is an open-source time tracking application. From version 2.32.0 to before version 2.56.0, users with the role System-Admin (ROLE_SYSTE_ADMIN) and the pe… |
CVE-2026-41498 | Low | 3.3 | 2026-05-08 | Kimai is an open-source time tracking application. Prior to version 2.54.0, the Team API endpoints use #[IsGranted('edit_team')] instead of #[IsGranted('edit'… |