{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40479", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-13T19:50:42.113Z", "datePublished": "2026-04-17T22:31:29.930Z", "dateUpdated": "2026-04-17T22:31:29.930Z"}, "containers": {"cna": {"title": "Kimai: Stored XSS via Incomplete HTML Attribute Escaping in Team Member Widget", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/kimai/kimai/security/advisories/GHSA-g82g-m9vx-vhjg", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/kimai/kimai/security/advisories/GHSA-g82g-m9vx-vhjg"}, {"name": "https://github.com/kimai/kimai/releases/tag/2.53.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/kimai/kimai/releases/tag/2.53.0"}], "affected": [{"vendor": "kimai", "product": "kimai", "versions": [{"version": ">= 1.16.3, < 2.53.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-17T22:31:29.930Z"}, "descriptions": [{"lang": "en", "value": "Kimai is an open-source time tracking application. In versions 1.16.3 through 2.52.0, the escapeForHtml() function in KimaiEscape.js does not escape double quote or single quote characters. When a user's profile alias is inserted into an HTML attribute context via the team member form prototype and rendered through innerHTML, this incomplete escaping allows HTML attribute injection. An authenticated user with ROLE_USER privileges can store a malicious alias that executes JavaScript in the browser of any administrator viewing the team form, resulting in stored XSS with privilege escalation. This issue has been fixed in version 2.53.0."}], "source": {"advisory": "GHSA-g82g-m9vx-vhjg", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Kimai is an open-source time tracking application. In versions 1.16.3 through 2.52.0, the escapeForHtml() function in KimaiEscape.js does not escape double quote or single quote characters. When a user's profile alias is inserted into an HTML attribute context via the team member form prototype and rendered through innerHTML, this incomplete escaping allows HTML attribute injection. An authenticated user with ROLE_USER privileges can store a malicious alias that executes JavaScript in the browser of any administrator viewing the team form, resulting in stored XSS with privilege escalation. This issue has been fixed in version 2.53.0."}], "id": "CVE-2026-40479", "lastModified": "2026-04-17T23:16:12.317", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-17T23:16:12.317", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/kimai/kimai/releases/tag/2.53.0"}, {"source": "security-advisories@github.com", "url": "https://github.com/kimai/kimai/security/advisories/GHSA-g82g-m9vx-vhjg"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.16.3,2.53.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "kimai", "source": "cna", "vendor": "kimai"}, "product": "kimai", "vendor": "kimai"}], "analysis": {"en": {"generated_at": "2026-04-18T08:51:46.486406+00:00", "value": {"mitigation_remediation": ["Upgrade Kimai to version 2.53.0 or newer where the HTML attribute escaping has been corrected.", "Ensure that any existing profile aliases contain no characters that could be interpreted as HTML or script \u2013 verify that no quotes or script tags exist in stored aliases.", "After applying the patch, review the team member form for visual confirmation that malicious aliases no longer execute, and regenerate or delete any compromised content."], "summary": {"action": "Patch", "impact": "Stored XSS \u2013 Privilege Escalation"}, "threat_synthesis": {"affected_systems": "The affected product is Kimai. All releases from version 1.16.3 through 2.52.0 are vulnerable. The defect was eliminated in version 2.53.0, which correctly escapes quotes in the alias field.", "description_and_impact": "Kimai versions between 1.16.3 and 2.52.0 contain a flaw where the escapeForHtml() function fails to escape double and single quote characters. When an authenticated user with standard ROLE_USER privileges sets a malicious profile alias that includes quotes, the alias is rendered inside an HTML attribute via innerHTML, enabling the injected script to execute in the browsers of administrators who view the team member form. The vulnerability allows stored cross\u2011site scripting with privilege escalation, giving a lower\u2011privileged user the ability to run arbitrary JavaScript as an administrator.", "risk_and_exploitability": "The CVSS score is 5.4, indicating a moderate severity vulnerability. Exploitation requires a logged\u2011in user with ability to edit their own profile alias, and the script runs in the browser context of any administrator viewing the team form. The EPSS score is not available, and the vulnerability is not listed in CISA KEV. While publicly documented, no active exploits have been reported beyond the advisory. The risk remains for any organization still running the vulnerable range of Kimai releases."}}}}, "created": "2026-04-17T23:30:15.777002+00:00", "updated": "2026-04-18T09:00:05.895349+00:00", "vendors": ["kimai", "kimai$PRODUCT$kimai"]}