kimai/kimai Security Advisories for 1.0 (9)
-
[MEDIUM] Kimai's API invoice endpoint missing customer-level access control (IDOR)
PKSA-j5f5-11n1-y3zr CVE-2026-28685 GHSA-v33r-r6h2-8wr7
Affected version: <=2.50.0
Reported by:
GitHub -
[MEDIUM] Kimai 2 vulnerable to persistent cross-site scripting in the timesheet descriptions
PKSA-2hk7-7wzk-4rts CVE-2019-25317 GHSA-9278-6hcj-2p4j
Affected version: <1.1
Reported by:
GitHub -
[MEDIUM] Kimai has an Authenticated Server-Side Template Injection (SSTI)
PKSA-pn9p-tcw8-rbpj CVE-2026-23626 GHSA-jg2j-2w24-54cg
Affected version: <2.46.0
Reported by:
GitHub -
[HIGH] Kimai contains a SameSite cookie vulnerability
PKSA-kh61-fncz-s7b4 CVE-2023-53957 GHSA-cv8h-r7r5-vwj9
Affected version: <=1.30.10
Reported by:
GitHub -
[HIGH] Kimai has an XXE Leading to Local File Read
PKSA-xxx2-wfk5-mvc4 GHSA-534c-hcr7-67jg
Affected version: <=2.20.1
Reported by:
GitHub -
[LOW] Kimai information disclosure vulnerability
PKSA-bvvn-7cvc-s7by CVE-2024-4596 GHSA-6f3v-2r2j-2rpr
Affected version: <2.16.0
Reported by:
GitHub -
[MEDIUM] Kimai API returns timesheet entries a user should not be authorized to view
PKSA-x5fv-txyx-qvzn CVE-2024-29200 GHSA-cj3c-5xpm-cx94
Affected version: <2.13.0
Reported by:
GitHub -
[HIGH] Kimai (Authenticated) SSTI to RCE by Uploading a Malicious Twig File
PKSA-7k8c-hhnj-9sqr CVE-2023-46245 GHSA-fjhg-96cp-6fcw
Affected version: <2.1.0
Reported by:
GitHub -
[CRITICAL] Cross-site Scripting in kimai/kimai
PKSA-7mp4-yg6d-q7xs CVE-2020-19825 GHSA-r58m-v5pr-jhhq
Affected version: <1.1
Reported by:
GitHub