CVE-2026-40479
Stored XSS in Kimai Team Form via Incomplete HTML Escaping
Publication date: 2026-04-17
Last updated on: 2026-04-27
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| kimai | kimai | to 2.53.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows an authenticated user to inject malicious JavaScript into the browser of administrators via stored cross-site scripting (XSS). This can lead to privilege escalation and unauthorized actions within the application.
Such security weaknesses can impact compliance with standards like GDPR and HIPAA, which require protection of personal data and secure application behavior to prevent unauthorized access or data breaches.
Specifically, exploitation of this vulnerability could lead to unauthorized access to sensitive user information or administrative functions, potentially violating data protection and security requirements mandated by these regulations.
Can you explain this vulnerability to me?
This vulnerability exists in Kimai, an open-source time tracking application, specifically in versions 1.16.3 through 2.52.0. The issue is in the escapeForHtml() function in KimaiEscape.js, which fails to properly escape double quote and single quote characters. Because of this incomplete escaping, when a user's profile alias is inserted into an HTML attribute context via the team member form prototype and rendered using innerHTML, it allows HTML attribute injection.
An authenticated user with ROLE_USER privileges can exploit this by storing a malicious alias that executes JavaScript in the browser of any administrator who views the team form. This results in stored cross-site scripting (XSS) with privilege escalation.
The vulnerability was fixed in version 2.53.0.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing an authenticated user with limited privileges (ROLE_USER) to execute malicious JavaScript code in the browser of an administrator. This stored cross-site scripting (XSS) attack can lead to privilege escalation, potentially allowing the attacker to perform actions with administrator privileges or steal sensitive information accessible to the administrator.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade Kimai to version 2.53.0 or later, where the issue with incomplete escaping in the escapeForHtml() function has been fixed.
Additionally, restrict the ability to set profile aliases to trusted users only, and review any stored aliases for potentially malicious content.