CVE-2026-40479

Kimai: Stored XSS via Incomplete HTML Attribute Escaping in Team Member Widget

CVSS 5.4 MEDIUMEPSS 0.2%CWE-79

In short

Kimai has a security flaw where user profile names aren't properly escaped when displayed in forms, allowing attackers to inject malicious code that runs when administrators view the page. An attacker with regular user access can store this malicious code to steal admin credentials or perform actions as an administrator.

Technical detail

The escapeForHtml() function in KimaiEscape.js fails to escape quote characters (single and double), enabling HTML attribute injection when user aliases are rendered via innerHTML in the team member widget. An authenticated attacker with ROLE_USER can craft a malicious alias containing JavaScript payloads that execute in an administrator's browser context, achieving stored XSS and privilege escalation.

Summary generated and translated by AI from the official description.

Kimai is an open-source time tracking application. In versions 1.16.3 through 2.52.0, the escapeForHtml() function in KimaiEscape.js does not escape double quote or single quote characters. When a user's profile alias is inserted into an HTML attribute context via the team member form prototype and rendered through innerHTML, this incomplete escaping allows HTML attribute injection. An authenticated user with ROLE_USER privileges can store a malicious alias that executes JavaScript in the browser of any administrator viewing the team form, resulting in stored XSS with privilege escalation. This issue has been fixed in version 2.53.0.

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Affected products

kimai · kimai

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/kimai/kimai/releases/tag/2.53.0 https://github.com/kimai/kimai/security/advisories/GHSA-g82g-m9vx-vhjg