Browse all 7 CVE security advisories affecting kimai. AI-powered Chinese analysis, POCs, and references for each vulnerability.
| CVE ID | Title | CVSS | Severity | Paused |
|---|---|---|---|---|
| CVE-2026-40486 | Kimai's User Preferences API allows standard users to modify restricted attributes: hourly_rate, internal_rate — kimaiCWE-915 | 4.3 | Medium | 2026-04-17 |
| CVE-2026-40479 | Kimai: Stored XSS via Incomplete HTML Attribute Escaping in Team Member Widget — kimaiCWE-79 | 5.4 | Medium | 2026-04-17 |
| CVE-2026-28685 | Kimai: API invoice endpoint missing customer-level access control (IDOR) — kimaiCWE-285 | 6.5 | Medium | 2026-03-06 |
| CVE-2026-23626 | Kimai Vulnerable to Authenticated Server-Side Template Injection (SSTI) — kimaiCWE-1336 | 6.8 | Medium | 2026-01-18 |
| CVE-2023-53957 | Kimai 1.30.10 SameSite Cookie Vulnerability Session Hijacking — KimaiCWE-1275 | 9.8 | Critical | 2025-12-19 |
| CVE-2024-29200 | API returns timesheet entries a user should not be authorized to view — kimaiCWE-1220 | 6.8 | Medium | 2024-03-28 |
| CVE-2023-46245 | Kimai (Authenticated) SSTI to RCE by Uploading a Malicious Twig File — kimaiCWE-1336 | 7.2 | High | 2023-10-31 |
This page lists every published CVE security advisory associated with kimai. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.