Description

Kimai is an open-source time tracking application. In versions 1.16.3 through 2.52.0, the escapeForHtml() function in KimaiEscape.js does not escape double quote or single quote characters. When a user's profile alias is inserted into an HTML attribute context via the team member form prototype and rendered through innerHTML, this incomplete escaping allows HTML attribute injection. An authenticated user with ROLE_USER privileges can store a malicious alias that executes JavaScript in the browser of any administrator viewing the team form, resulting in stored XSS with privilege escalation. This issue has been fixed in version 2.53.0.

INFO

Published Date :

2026-04-17T22:31:29.930Z

Last Modified :

2026-04-17T22:31:29.930Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-40479 vulnerability.

Vendors Products
Kimai
  • Kimai
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-40479.

URL Resource
https://github.com/kimai/kimai/releases/tag/2.53.0 cve-icon cve-icon
https://github.com/kimai/kimai/security/advisories/GHSA-g82g-m9vx-vhjg cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact