VYPR
Medium severity5.7GHSA Advisory· Published May 8, 2026· Updated May 13, 2026

CVE-2026-42267

CVE-2026-42267

Description

Kimai is an open-source time tracking application. From version 2.27.0 to before version 2.54.0, any ROLE_USER can create a tag with a formula string as its name (e.g. =SUM(54+51)) via POST /api/tags and assign it to a timesheet. When an admin exports timesheets to XLSX, ArrayFormatter.formatValue() joins tag names with implode() and returns the result unchanged. OpenSpout promotes any =-prefixed string to a FormulaCell, writing SUM(54+51) into the XLSX archive. Excel evaluates the formula when the file is opened. This issue has been patched in version 2.54.0.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
kimai/kimaiPackagist
>= 2.27.0, < 2.54.02.54.0

Affected products

3
  • Kimai/KimaiGHSA2 versions
    >= 2.27.0, <= 2.53.0+ 1 more
    • (no CPE)range: >= 2.27.0, <= 2.53.0
    • cpe:2.3:a:kimai:kimai:*:*:*:*:*:*:*:*range: >=2.27.0,<2.54.0
  • ghsa-coords
    Range: >= 2.27.0, < 2.54.0

Patches

Vulnerability mechanics

References

4

News mentions

0

No linked articles in our index yet.