kimai/kimai Security Advisories for 2.19.1 (3)
-
[MEDIUM] Kimai's API invoice endpoint missing customer-level access control (IDOR)
PKSA-j5f5-11n1-y3zr CVE-2026-28685 GHSA-v33r-r6h2-8wr7
Affected version: <=2.50.0
Reported by:
GitHub -
[MEDIUM] Kimai has an Authenticated Server-Side Template Injection (SSTI)
PKSA-pn9p-tcw8-rbpj CVE-2026-23626 GHSA-jg2j-2w24-54cg
Affected version: <2.46.0
Reported by:
GitHub -
[HIGH] Kimai has an XXE Leading to Local File Read
PKSA-xxx2-wfk5-mvc4 GHSA-534c-hcr7-67jg
Affected version: <=2.20.1
Reported by:
GitHub