Search criteria
4 vulnerabilities found for Kimai by Kimai
CVE-2026-23626 (GCVE-0-2026-23626)
Vulnerability from cvelistv5 – Published: 2026-01-18 22:45 – Updated: 2026-01-20 20:07
VLAI?
Title
Kimai Vulnerable to Authenticated Server-Side Template Injection (SSTI)
Summary
Kimai is a web-based multi-user time-tracking application. Prior to version 2.46.0, Kimai's export functionality uses a Twig sandbox with an overly permissive security policy (`DefaultPolicy`) that allows arbitrary method calls on objects available in the template context. An authenticated user with export permissions can deploy a malicious Twig template that extracts sensitive information including environment variables, all user password hashes, serialized session tokens, and CSRF tokens. Version 2.46.0 patches this issue.
Severity ?
6.8 (Medium)
CWE
- CWE-1336 - Improper Neutralization of Special Elements Used in a Template Engine
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23626",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-20T19:37:30.485752Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-20T20:07:08.477Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "kimai",
"vendor": "kimai",
"versions": [
{
"status": "affected",
"version": "\u003c 2.46.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Kimai is a web-based multi-user time-tracking application. Prior to version 2.46.0, Kimai\u0027s export functionality uses a Twig sandbox with an overly permissive security policy (`DefaultPolicy`) that allows arbitrary method calls on objects available in the template context. An authenticated user with export permissions can deploy a malicious Twig template that extracts sensitive information including environment variables, all user password hashes, serialized session tokens, and CSRF tokens. Version 2.46.0 patches this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1336",
"description": "CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-18T22:45:35.942Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/kimai/kimai/security/advisories/GHSA-jg2j-2w24-54cg",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/kimai/kimai/security/advisories/GHSA-jg2j-2w24-54cg"
},
{
"name": "https://github.com/kimai/kimai/pull/5757",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/kimai/kimai/pull/5757"
},
{
"name": "https://github.com/kimai/kimai/commit/6a86afb5fd79f6c1825060b87c09bd1909c2e86f",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/kimai/kimai/commit/6a86afb5fd79f6c1825060b87c09bd1909c2e86f"
},
{
"name": "https://github.com/kimai/kimai/releases/tag/2.46.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/kimai/kimai/releases/tag/2.46.0"
}
],
"source": {
"advisory": "GHSA-jg2j-2w24-54cg",
"discovery": "UNKNOWN"
},
"title": "Kimai Vulnerable to Authenticated Server-Side Template Injection (SSTI)"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-23626",
"datePublished": "2026-01-18T22:45:35.942Z",
"dateReserved": "2026-01-14T16:08:37.482Z",
"dateUpdated": "2026-01-20T20:07:08.477Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53957 (GCVE-0-2023-53957)
Vulnerability from cvelistv5 – Published: 2025-12-19 21:05 – Updated: 2025-12-19 21:41
VLAI?
Title
Kimai 1.30.10 SameSite Cookie Vulnerability Session Hijacking
Summary
Kimai 1.30.10 contains a SameSite cookie vulnerability that allows attackers to steal user session cookies through malicious exploitation. Attackers can trick victims into executing a crafted PHP script that captures and writes session cookie information to a file, enabling potential session hijacking.
Severity ?
9.8 (Critical)
CWE
- CWE-1275 - Sensitive Cookie with Improper SameSite Attribute
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Credits
nu11secur1ty
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-53957",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-19T21:36:13.015775Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-19T21:41:07.772Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Kimai",
"vendor": "Kimai",
"versions": [
{
"status": "affected",
"version": "1.30.10"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "nu11secur1ty"
}
],
"descriptions": [
{
"lang": "en",
"value": "Kimai 1.30.10 contains a SameSite cookie vulnerability that allows attackers to steal user session cookies through malicious exploitation. Attackers can trick victims into executing a crafted PHP script that captures and writes session cookie information to a file, enabling potential session hijacking."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS"
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1275",
"description": "Sensitive Cookie with Improper SameSite Attribute",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-19T21:05:52.561Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"name": "ExploitDB-51278",
"tags": [
"exploit"
],
"url": "https://www.exploit-db.com/exploits/51278"
},
{
"name": "Official Product Homepage",
"tags": [
"product"
],
"url": "https://github.com/kimai/kimai/releases/tag/1.30.10"
},
{
"name": "VulnCheck Advisory: Kimai 1.30.10 SameSite Cookie Vulnerability Session Hijacking",
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/kimai-samesite-cookie-vulnerability-session-hijacking"
}
],
"title": "Kimai 1.30.10 SameSite Cookie Vulnerability Session Hijacking",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2023-53957",
"datePublished": "2025-12-19T21:05:52.561Z",
"dateReserved": "2025-12-19T14:03:57.723Z",
"dateUpdated": "2025-12-19T21:41:07.772Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-29200 (GCVE-0-2024-29200)
Vulnerability from cvelistv5 – Published: 2024-03-28 13:28 – Updated: 2024-08-02 01:10
VLAI?
Title
API returns timesheet entries a user should not be authorized to view
Summary
Kimai is a web-based multi-user time-tracking application. The permission `view_other_timesheet` performs differently for the Kimai UI and the API, thus returning unexpected data through the API. When setting the `view_other_timesheet` permission to true, on the frontend, users can only see timesheet entries for teams they are a part of. When requesting all timesheets from the API, however, all timesheet entries are returned, regardless of whether the user shares team permissions or not. This vulnerability is fixed in 2.13.0.
Severity ?
6.8 (Medium)
CWE
- CWE-1220 - Insufficient Granularity of Access Control
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-29200",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-28T15:54:22.072724Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-05T17:21:19.276Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:10:54.793Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/kimai/kimai/security/advisories/GHSA-cj3c-5xpm-cx94",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/kimai/kimai/security/advisories/GHSA-cj3c-5xpm-cx94"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "kimai",
"vendor": "kimai",
"versions": [
{
"status": "affected",
"version": "\u003c 2.13.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Kimai is a web-based multi-user time-tracking application. The permission `view_other_timesheet` performs differently for the Kimai UI and the API, thus returning unexpected data through the API. When setting the `view_other_timesheet` permission to true, on the frontend, users can only see timesheet entries for teams they are a part of. When requesting all timesheets from the API, however, all timesheet entries are returned, regardless of whether the user shares team permissions or not. This vulnerability is fixed in 2.13.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1220",
"description": "CWE-1220: Insufficient Granularity of Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-28T13:28:36.005Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/kimai/kimai/security/advisories/GHSA-cj3c-5xpm-cx94",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/kimai/kimai/security/advisories/GHSA-cj3c-5xpm-cx94"
}
],
"source": {
"advisory": "GHSA-cj3c-5xpm-cx94",
"discovery": "UNKNOWN"
},
"title": "API returns timesheet entries a user should not be authorized to view"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-29200",
"datePublished": "2024-03-28T13:28:36.005Z",
"dateReserved": "2024-03-18T17:07:00.096Z",
"dateUpdated": "2024-08-02T01:10:54.793Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-46245 (GCVE-0-2023-46245)
Vulnerability from cvelistv5 – Published: 2023-10-31 15:06 – Updated: 2024-08-02 20:37
VLAI?
Title
Kimai (Authenticated) SSTI to RCE by Uploading a Malicious Twig File
Summary
Kimai is a web-based multi-user time-tracking application. Versions prior to 2.1.0 are vulnerable to a Server-Side Template Injection (SSTI) which can be escalated to Remote Code Execution (RCE). The vulnerability arises when a malicious user uploads a specially crafted Twig file, exploiting the software's PDF and HTML rendering functionalities. Version 2.1.0 enables security measures for custom Twig templates.
Severity ?
7.2 (High)
CWE
- CWE-1336 - Improper Neutralization of Special Elements Used in a Template Engine
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T20:37:40.150Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/kimai/kimai/security/advisories/GHSA-fjhg-96cp-6fcw",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/kimai/kimai/security/advisories/GHSA-fjhg-96cp-6fcw"
},
{
"name": "https://github.com/kimai/kimai/commit/38e37f1c2e91e1acb221ec5c13f11b735bd50ae4",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/kimai/kimai/commit/38e37f1c2e91e1acb221ec5c13f11b735bd50ae4"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "kimai",
"vendor": "kimai",
"versions": [
{
"status": "affected",
"version": "\u003c 2.1.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Kimai is a web-based multi-user time-tracking application. Versions prior to 2.1.0 are vulnerable to a Server-Side Template Injection (SSTI) which can be escalated to Remote Code Execution (RCE). The vulnerability arises when a malicious user uploads a specially crafted Twig file, exploiting the software\u0027s PDF and HTML rendering functionalities. Version 2.1.0 enables security measures for custom Twig templates."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1336",
"description": "CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-12T16:38:46.831Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/kimai/kimai/security/advisories/GHSA-fjhg-96cp-6fcw",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/kimai/kimai/security/advisories/GHSA-fjhg-96cp-6fcw"
},
{
"name": "https://github.com/kimai/kimai/commit/38e37f1c2e91e1acb221ec5c13f11b735bd50ae4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/kimai/kimai/commit/38e37f1c2e91e1acb221ec5c13f11b735bd50ae4"
}
],
"source": {
"advisory": "GHSA-fjhg-96cp-6fcw",
"discovery": "UNKNOWN"
},
"title": "Kimai (Authenticated) SSTI to RCE by Uploading a Malicious Twig File"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-46245",
"datePublished": "2023-10-31T15:06:23.359Z",
"dateReserved": "2023-10-19T20:34:00.948Z",
"dateUpdated": "2024-08-02T20:37:40.150Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}