VIR Vulnerability Intelligence Relay

CVE-2026-44298

medium
Published 2026-05-08 · Modified 2026-05-08
CVSS v3
4.9
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N
CVSS v2
VIR risk
4.9

Description

Kimai has an arbitrary file read in its invoice PDF renderer (admin)

Predictions

Exploit likelihood
59%
Patch ETA

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: security-advisories@github.com — https://github.com/kimai/kimai/security/advisories/GHSA-h5fh-7hwr-97mw

vendor Authored 2026-05-27

Vendor advisory: security-advisories@github.com — https://github.com/kimai/kimai/releases/tag/2.56.0

Package impact
EcosystemPackageVulnerableFixed
php Packagistkimai/kimai>=2.32.0,<=2.55
php Packagistkimai/kimai>=2.32.0,<2.562.56
php COMPOSERkimai/kimai>= 2.32.0, <= 2.552.56

Application impact
VendorProductVersionsFixed
kimaikimai{"startIncluding":"2.32.0","endExcluding":"2.56.0"}2.56.0

References

CWEs

CWE-22

Verify integrity in audit chain (admin only). AS-IS.