Package impact
Packagist / kimai/kimai
| CVE | Severity | CVSS | Risk | Published | Description | Impact |
|---|---|---|---|---|---|---|
| CVE-2026-42267 | medium | 5.7 | 5.7 | 23d ago | Kimai vulnerable to formula Injection via tag names in XLSX export | |
| CVE-2026-28685 | medium | — | 5.5 | 3mo ago | Kimai's API invoice endpoint missing customer-level access control (IDOR) | |
| CVE-2026-40479 | medium | 5.4 | 5.4 | 1mo ago | Kimai has Stored XSS via Incomplete HTML Attribute Escaping in Team Member Widget | |
| CVE-2026-44298 | medium | 4.9 | 4.9 | 20d ago | Kimai has an arbitrary file read in its invoice PDF renderer (admin) | |
| CVE-2026-40486 | medium | 4.3 | 4.3 | 1mo ago | Kimai's User Preferences API allows standard users to modify restricted attributes: hourly_rate, internal_rate | |
| CVE-2026-41498 | low | 3.3 | 3.3 | 21d ago | Kimai has Missing Object-Level Authorization in the Team API |