| CVE |
Severity |
CVSS |
Risk |
Published |
Description |
Impact |
| CVE-2026-42267 |
medium |
5.7 |
5.7 |
22d ago |
Kimai vulnerable to formula Injection via tag names in XLSX export |
|
| CVE-2026-28685 |
medium |
— |
5.5 |
3mo ago |
Kimai's API invoice endpoint missing customer-level access control (IDOR) |
|
| CVE-2026-40479 |
medium |
5.4 |
5.4 |
1mo ago |
Kimai has Stored XSS via Incomplete HTML Attribute Escaping in Team Member Widget |
|
| CVE-2026-44298 |
medium |
4.9 |
4.9 |
19d ago |
Kimai has an arbitrary file read in its invoice PDF renderer (admin) |
|
| CVE-2026-40486 |
medium |
4.3 |
4.3 |
1mo ago |
Kimai's User Preferences API allows standard users to modify restricted attributes: hourly_rate, internal_rate |
|