VYPR
Vendor

Kimai

Products
1
CVEs
12
Across products
12
Status
Private

Products

1

Recent CVEs

12
  • CVE-2013-10033CriJul 31, 2025
    risk 0.69cvss epss 0.01

    An unauthenticated SQL injection vulnerability exists in Kimai version 0.9.2.x via the db_restore.php endpoint. The flaw allows attackers to inject arbitrary SQL queries into the dates[] POST parameter, enabling file write via INTO OUTFILE under specific environmental…

  • CVE-2026-42267MedMay 8, 2026
    risk 0.37cvss 5.7epss 0.00

    Kimai is an open-source time tracking application. From version 2.27.0 to before version 2.54.0, any ROLE_USER can create a tag with a formula string as its name (e.g. =SUM(54+51)) via POST /api/tags and assign it to a timesheet. When an admin exports timesheets to XLSX,…

  • CVE-2026-40479MedApr 17, 2026
    risk 0.28cvss 5.4epss 0.00

    Kimai is an open-source time tracking application. In versions 1.16.3 through 2.52.0, the escapeForHtml() function in KimaiEscape.js does not escape double quote or single quote characters. When a user's profile alias is inserted into an HTML attribute context via the team…

  • CVE-2026-40486MedApr 17, 2026
    risk 0.21cvss 4.3epss 0.00

    Kimai is an open-source time tracking application. In versions 2.52.0 and below, the User Preferences API endpoint (PATCH /api/users/{id}/preferences) applies submitted preference values without checking the isEnabled() flag on preference objects. Although the hourly_rate and…

  • CVE-2026-44298MedMay 8, 2026
    risk 0.20cvss 4.1epss 0.00

    Kimai is an open-source time tracking application. From version 2.32.0 to before version 2.56.0, users with the role System-Admin (ROLE_SYSTE_ADMIN) and the permission upload_invoice_template can upload PDF invoice templates, which can call pdfContext.setOption('associated_files'…

  • CVE-2026-41498LowMay 8, 2026
    risk 0.14cvss 3.3epss 0.00

    Kimai is an open-source time tracking application. Prior to version 2.54.0, the Team API endpoints use #[IsGranted('edit_team')] instead of #[IsGranted('edit', 'team')], causing Symfony TeamVoter to abstain from voting. This removes entity-level ownership checks on team…

  • CVE-2026-28685Mar 6, 2026
    risk 0.00cvss epss 0.00

    Kimai is a web-based multi-user time-tracking application. Prior to version 2.51.0, "GET /api/invoices/{id}" only checks the role-based view_invoice permission but does not verify the requesting user has access to the invoice's customer. Any user with ROLE_TEAMLEAD (which grants…

  • CVE-2026-23626Jan 18, 2026
    risk 0.00cvss epss 0.00

    Kimai is a web-based multi-user time-tracking application. Prior to version 2.46.0, Kimai's export functionality uses a Twig sandbox with an overly permissive security policy (`DefaultPolicy`) that allows arbitrary method calls on objects available in the template context. An…

  • CVE-2024-4596May 7, 2024
    risk 0.00cvss epss 0.01

    A vulnerability was found in Kimai up to 2.15.0 and classified as problematic. Affected by this issue is some unknown functionality of the component Session Handler. The manipulation of the argument PHPSESSIONID leads to information disclosure. The attack may be launched…

  • CVE-2024-29200Mar 28, 2024
    risk 0.00cvss epss 0.01

    Kimai is a web-based multi-user time-tracking application. The permission `view_other_timesheet` performs differently for the Kimai UI and the API, thus returning unexpected data through the API. When setting the `view_other_timesheet` permission to true, on the frontend, users…

  • CVE-2023-46245Oct 31, 2023
    risk 0.00cvss epss 0.01

    Kimai is a web-based multi-user time-tracking application. Versions prior to 2.1.0 are vulnerable to a Server-Side Template Injection (SSTI) which can be escalated to Remote Code Execution (RCE). The vulnerability arises when a malicious user uploads a specially crafted Twig…

  • CVE-2021-43515Apr 8, 2022
    risk 0.00cvss epss 0.01

    CSV Injection (aka Excel Macro Injection or Formula Injection) exists in creating new timesheet in Kimai. By filling the Description field with malicious payload, it will be mistreated while exporting to a CSV file.