Package impact
COMPOSER / kimai/kimai
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-42267 | medium | 5.7 | 5.7 | 23d ago | Kimai vulnerable to formula Injection via tag names in XLSX export | |||
| CVE-2026-28685 | medium | — | 5.5 | 3mo ago | Kimai's API invoice endpoint missing customer-level access control (IDOR) | |||
| CVE-2026-44298 | medium | 4.9 | 4.9 | 20d ago | Kimai has an arbitrary file read in its invoice PDF renderer (admin) | |||
| CVE-2026-41498 | low | 3.3 | 3.3 | 21d ago | Kimai has Missing Object-Level Authorization in the Team API |