| CVE-2026-42267 |
medium |
5.7 |
5.7 |
|
|
|
29d ago |
Kimai vulnerable to formula Injection via tag names in XLSX export |
| CVE-2026-28685 |
medium |
— |
5.5 |
|
|
|
3mo ago |
Kimai's API invoice endpoint missing customer-level access control (IDOR) |
| CVE-2026-40479 |
medium |
5.4 |
5.4 |
|
|
|
2mo ago |
Kimai has Stored XSS via Incomplete HTML Attribute Escaping in Team Member Widget |
| CVE-2026-44298 |
medium |
4.9 |
4.9 |
|
|
|
26d ago |
Kimai has an arbitrary file read in its invoice PDF renderer (admin) |
| CVE-2026-40486 |
medium |
4.3 |
4.3 |
|
|
|
2mo ago |
Kimai's User Preferences API allows standard users to modify restricted attributes: hourly_rate, internal_rate |
| CVE-2026-41498 |
low |
3.3 |
3.3 |
|
|
|
27d ago |
Kimai has Missing Object-Level Authorization in the Team API |
| CVE-2019-25317 |
unknown |
— |
— |
|
|
|
4mo ago |
Kimai 2 vulnerable to persistent cross-site scripting in the timesheet descriptions |
| CVE-2026-23626 |
unknown |
— |
— |
|
|
|
4mo ago |
Kimai has an Authenticated Server-Side Template Injection (SSTI) |
| CVE-2023-53957 |
unknown |
— |
— |
|
|
|
6mo ago |
Kimai contains a SameSite cookie vulnerability |
| CVE-2024-4596 |
unknown |
— |
— |
|
|
|
2y ago |
Kimai information disclosure vulnerability |
| CVE-2024-29200 |
unknown |
— |
— |
|
|
|
2y ago |
Kimai API returns timesheet entries a user should not be authorized to view |
| CVE-2023-46245 |
unknown |
— |
— |
|
|
|
3y ago |
Kimai (Authenticated) SSTI to RCE by Uploading a Malicious Twig File |
| CVE-2020-19825 |
unknown |
— |
— |
|
|
|
3y ago |
Cross-site Scripting in kimai/kimai |
