CVE-2026-23626
unknown
CVSS v3
—
CVSS v2
—
VIR risk
—
Description
Kimai has an Authenticated Server-Side Template Injection (SSTI)
Predictions
Exploit likelihood
30%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No vendor mitigations ingested yet for this CVE. The mitigation-content worker queues fetches as references arrive — check back in a few minutes, or see the references list below.
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| Packagist | kimai/kimai | <2.46.0 | 2.46.0 |
References
- https://github.com/kimai/kimai/security/advisories/GHSA-jg2j-2w24-54cg
- https://nvd.nist.gov/vuln/detail/CVE-2026-23626
- https://github.com/kimai/kimai/pull/5757
- https://github.com/kimai/kimai/commit/6a86afb5fd79f6c1825060b87c09bd1909c2e86f
- https://github.com/kimai/kimai
- https://github.com/kimai/kimai/releases/tag/2.46.0
- https://twig.symfony.com/doc/3.x/api.html#sandbox-extension
Verify integrity in audit chain (admin only). AS-IS.