threat
engine
.sh
Back
·
··:··
Home
/
Product
/
kimai
Product
kimai
20 known vulnerabilities across versions
Vulnerabilities are listed by affected version. Select any CVE for the full briefing and its intelligence graph.
Sort
Newest first
Oldest first
Highest CVSS
Lowest CVSS
Min CVSS
Any
4.0+
7.0+ (High)
9.0+ (Critical)
Published since
Reset
CVE-2026-44298
>= 2.32.0 and < 2.56.0
Kimai is an open-source time tracking application. From version 2.32.0 to before version 2.56.0, users with the role System-Admin
4.1
MEDIUM
CVE-2026-42267
>= 2.27.0 and < 2.54.0
Kimai is an open-source time tracking application. From version 2.27.0 to before version 2.54.0, any ROLE_USER can create a tag wi
5.7
MEDIUM
CVE-2026-41498
< 2.54.0
Kimai is an open-source time tracking application. Prior to version 2.54.0, the Team API endpoints use #[IsGranted('edit_team')] i
3.3
LOW
CVE-2026-40486
< 2.53.0
Kimai is an open-source time tracking application. In versions 2.52.0 and below, the User Preferences API endpoint (PATCH /api/use
4.3
MEDIUM
CVE-2026-40479
< 2.53.0
Kimai is an open-source time tracking application. In versions 1.16.3 through 2.52.0, the escapeForHtml() function in KimaiEscape.
5.4
MEDIUM
CVE-2026-28685
< 2.51.0
Kimai is a web-based multi-user time-tracking application. Prior to version 2.51.0, "GET /api/invoices/{id}" only checks the role-
6.5
MEDIUM
CVE-2019-25317
<= 1.1
Kimai 2 contains a persistent cross-site scripting vulnerability that allows attackers to inject malicious scripts into timesheet
6.4
MEDIUM
CVE-2026-23626
< 2.46.0
Kimai is a web-based multi-user time-tracking application. Prior to version 2.46.0, Kimai's export functionality uses a Twig sandb
6.8
MEDIUM
CVE-2023-53957
all versions
Kimai 1.30.10 contains a SameSite cookie vulnerability that allows attackers to steal user session cookies through malicious explo
9.8
CRITICAL
CVE-2024-4596
< 2.16.0
A vulnerability was found in Kimai up to 2.15.0 and classified as problematic. Affected by this issue is some unknown functionalit
3.7
LOW
CVE-2024-29200
< 2.13.0
Kimai is a web-based multi-user time-tracking application. The permission
view_other_timesheet
performs differently for the Kima
6.8
MEDIUM
CVE-2023-46245
<= 2.10
Kimai is a web-based multi-user time-tracking application. Versions prior to 2.1.0 are vulnerable to a Server-Side Template Inject
7.2
HIGH
CVE-2020-19825
all versions
Cross Site Scripting (XSS) vulnerability in kevinpapst kimai2 1.30.0 in /src/Twig/Runtime/MarkdownExtension.php, allows attackers
9.6
CRITICAL
CVE-2021-43515
< 1.14.1
CSV Injection (aka Excel Macro Injection or Formula Injection) exists in creating new timesheet in Kimai. By filling the Descripti
7.8
HIGH
CVE-2021-4033
< 1.16.7
kimai2 is vulnerable to Cross-Site Request Forgery (CSRF)
6.5
MEDIUM
CVE-2021-3985
< 1.16.3
kimai2 is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
9.0
CRITICAL
CVE-2021-3963
< 1.16.2
kimai2 is vulnerable to Cross-Site Request Forgery (CSRF)
4.3
MEDIUM
CVE-2021-3957
< 1.16.2
kimai2 is vulnerable to Cross-Site Request Forgery (CSRF)
4.3
MEDIUM
CVE-2021-3976
< 1.16.2
kimai2 is vulnerable to Cross-Site Request Forgery (CSRF)
6.5
MEDIUM
CVE-2019-15481
< 1.1
Kimai v2 before 1.1 has XSS via a timesheet description.
6.1
MEDIUM
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh · Open-source threat intelligence platform · 100+ authoritative sources · Every fact traces to its origin