Kimai: Stored XSS via Incomplete HTML Attribute Escaping in Team...

5.4 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Description

Kimai is an open-source time tracking application. In versions 1.16.3 through 2.52.0, the escapeForHtml() function in KimaiEscape.js does not escape double quote or single quote characters. When a user's profile alias is inserted into an HTML attribute context via the team member form prototype and rendered through innerHTML, this incomplete escaping allows HTML attribute injection. An authenticated user with ROLE_USER privileges can store a malicious alias that executes JavaScript in the browser of any administrator viewing the team form, resulting in stored XSS with privilege escalation. This issue has been fixed in version 2.53.0.

Basic Information

ID CVE-2026-40479

Source GitHub_M

Published Apr 17, 2026 at 22:31

Affected Product

Vendor kimai

Product kimai

Version >= 1.16.3, < 2.53.0

Affected Versions kimai kimai >= 1.16.3, < 2.53.0

CWE Classification

CWE-79

References

{
    "lastseen": "",
    "description": "Kimai is an open-source time tracking application. In versions 1.16.3 through 2.52.0, the escapeForHtml() function in KimaiEscape.js does not escape double quote or single quote characters. When a user's profile alias is inserted into an HTML attribute context via the team member form prototype and rendered through innerHTML, this incomplete escaping allows HTML attribute injection. An authenticated user with ROLE_USER privileges can store a malicious alias that executes JavaScript in the browser of any administrator viewing the team form, resulting in stored XSS with privilege escalation. This issue has been fixed in version 2.53.0.",
    "published": "2026-04-17T22:31:29.930Z",
    "modified": "2026-04-17T22:31:29.930Z",
    "type": "cve",
    "title": "Kimai: Stored XSS via Incomplete HTML Attribute Escaping in Team Member Widget",
    "source": "GitHub_M",
    "references": "https://github.com/kimai/kimai/security/advisories/GHSA-g82g-m9vx-vhjg\nhttps://github.com/kimai/kimai/releases/tag/2.53.0",
    "id": "CVE-2026-40479",
    "bulletinFamily": "",
    "cwe": [
        "CWE-79"
    ],
    "cvelist": null,
    "sourceData": "kimai kimai >= 1.16.3, < 2.53.0",
    "sourceHref": "",
    "cvss": {
        "score": 5.4,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "kimai",
    "version": ">= 1.16.3, < 2.53.0",
    "vendor": "kimai",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Kimai: Stored XSS via Incomplete HTML Attribute Escaping in Team Member Widget_CVE-2026-40479