kimai/kimai vulnerabilities

Browse known CVEs and advisories by package and ecosystem. Severity tells you the worst case. What determines real risk is whether the vulnerable code actually runs in your applications.

Get a demo

Browse by ecosystem

npmPyPIMavenGoRubyGemsCargoNuGetComposerpubSwiftGitHub Actions
CVE-IDSeverityPackage summary
GHSA-J5MC-P8QG-39J7Lowkimai/kimai: Kimai Favorite Timesheet Add and Remove Endpoints Allows Cross-User Bookmark ManipulationGHSA-M492-GV72-XVXJLowkimai/kimai: Kimai Password Reset Link Remains Valid After Password ChangeCVE-2026-44298Mediumkimai/kimai: Kimai has an arbitrary file read in its invoice PDF renderer (admin)GHSA-VRQV-52X7-RM4VMediumkimai/kimai: Kimai's Twig function config() leaks server-wide secrets (LDAP bind password, SAML SP private key)…GHSA-9G2Q-W3W2-VF7QMediumkimai/kimai: Kimai has Missing Voter Check that Allows Cross-Team Timesheet ManipulationCVE-2026-42267Mediumkimai/kimai: Kimai vulnerable to formula Injection via tag names in XLSX exportCVE-2026-41498Lowkimai/kimai: Kimai has Missing Object-Level Authorization in the Team APIGHSA-JRC6-FMHW-FPQ2Lowkimai/kimai: Kimai: Username enumeration via timing on X-AUTH-USERCVE-2026-40486Mediumkimai/kimai: Kimai's User Preferences API allows standard users to modify restricted attributes: hourly_rate,…CVE-2026-40479Mediumkimai/kimai: Kimai has Stored XSS via Incomplete HTML Attribute Escaping in Team Member WidgetGHSA-RH42-6RJ2-XWMCLowkimai/kimai: Kimai leaks API Token Hash via Invoice Twig TemplateGHSA-3JP4-MHH4-GCGRLowkimai/kimai: Kimai has an Open Redirect via Unvalidated RelayState in SAML ACS HandlerCVE-2026-28685Mediumkimai/kimai: Kimai's API invoice endpoint missing customer-level access control (IDOR)CVE-2019-25317Mediumkimai/kimai: Kimai 2 vulnerable to persistent cross-site scripting in the timesheet descriptionsCVE-2026-23626Mediumkimai/kimai: Kimai has an Authenticated Server-Side Template Injection (SSTI)CVE-2023-53957Highkimai/kimai: Kimai contains a SameSite cookie vulnerabilityGHSA-534C-HCR7-67JGHighkimai/kimai: Kimai has an XXE Leading to Local File ReadCVE-2024-4596Lowkimai/kimai: Kimai information disclosure vulnerabilityCVE-2024-29200Mediumkimai/kimai: Kimai API returns timesheet entries a user should not be authorized to viewCVE-2023-46245Highkimai/kimai: Kimai (Authenticated) SSTI to RCE by Uploading a Malicious Twig FileCVE-2020-19825Criticalkimai/kimai: Cross-site Scripting in kimai/kimai

Stop the waste.
Protect your environment with Kodem.