| CVE-2026-42267 |
medium |
5.7 |
5.7 |
22d ago |
Kimai vulnerable to formula Injection via tag names in XLSX export |
|
| CVE-2026-28685 |
medium |
— |
5.5 |
3mo ago |
Kimai's API invoice endpoint missing customer-level access control (IDOR) |
|
| CVE-2026-40479 |
medium |
5.4 |
5.4 |
1mo ago |
Kimai has Stored XSS via Incomplete HTML Attribute Escaping in Team Member Widget |
|
| CVE-2026-44298 |
medium |
4.9 |
4.9 |
19d ago |
Kimai has an arbitrary file read in its invoice PDF renderer (admin) |
|
| CVE-2026-40486 |
medium |
4.3 |
4.3 |
1mo ago |
Kimai's User Preferences API allows standard users to modify restricted attributes: hourly_rate, internal_rate |
|
| CVE-2026-41498 |
low |
3.3 |
3.3 |
20d ago |
Kimai has Missing Object-Level Authorization in the Team API |
|
| CVE-2019-25317 |
unknown |
— |
— |
4mo ago |
Kimai 2 vulnerable to persistent cross-site scripting in the timesheet descriptions |
|
| CVE-2026-23626 |
unknown |
— |
— |
4mo ago |
Kimai has an Authenticated Server-Side Template Injection (SSTI) |
|
| CVE-2023-53957 |
unknown |
— |
— |
5mo ago |
Kimai contains a SameSite cookie vulnerability |
|
| CVE-2024-4596 |
unknown |
— |
— |
2y ago |
Kimai information disclosure vulnerability |
|
| CVE-2024-29200 |
unknown |
— |
— |
2y ago |
Kimai API returns timesheet entries a user should not be authorized to view |
|
| CVE-2023-46245 |
unknown |
— |
— |
3y ago |
Kimai (Authenticated) SSTI to RCE by Uploading a Malicious Twig File |
|
| CVE-2020-19825 |
unknown |
— |
— |
3y ago |
Cross-site Scripting in kimai/kimai |
|