CVE-2026-40479
Received Received - Intake
Stored XSS in Kimai Team Form via Incomplete HTML Escaping

Publication date: 2026-04-17

Last updated on: 2026-04-27

Assigner: GitHub, Inc.

Description
Kimai is an open-source time tracking application. In versions 1.16.3 through 2.52.0, the escapeForHtml() function in KimaiEscape.js does not escape double quote or single quote characters. When a user's profile alias is inserted into an HTML attribute context via the team member form prototype and rendered through innerHTML, this incomplete escaping allows HTML attribute injection. An authenticated user with ROLE_USER privileges can store a malicious alias that executes JavaScript in the browser of any administrator viewing the team form, resulting in stored XSS with privilege escalation. This issue has been fixed in version 2.53.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-17
Last Modified
2026-04-27
Generated
2026-06-16
AI Q&A
2026-04-18
EPSS Evaluated
2026-06-15
NVD
CVE-2026-40479
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
kimai kimai to 2.53.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability allows an authenticated user to inject malicious JavaScript into the browser of administrators via stored cross-site scripting (XSS). This can lead to privilege escalation and unauthorized actions within the application.

Such security weaknesses can impact compliance with standards like GDPR and HIPAA, which require protection of personal data and secure application behavior to prevent unauthorized access or data breaches.

Specifically, exploitation of this vulnerability could lead to unauthorized access to sensitive user information or administrative functions, potentially violating data protection and security requirements mandated by these regulations.

Executive Summary

This vulnerability exists in Kimai, an open-source time tracking application, specifically in versions 1.16.3 through 2.52.0. The issue is in the escapeForHtml() function in KimaiEscape.js, which fails to properly escape double quote and single quote characters. Because of this incomplete escaping, when a user's profile alias is inserted into an HTML attribute context via the team member form prototype and rendered using innerHTML, it allows HTML attribute injection.

An authenticated user with ROLE_USER privileges can exploit this by storing a malicious alias that executes JavaScript in the browser of any administrator who views the team form. This results in stored cross-site scripting (XSS) with privilege escalation.

The vulnerability was fixed in version 2.53.0.

Impact Analysis

This vulnerability can impact you by allowing an authenticated user with limited privileges (ROLE_USER) to execute malicious JavaScript code in the browser of an administrator. This stored cross-site scripting (XSS) attack can lead to privilege escalation, potentially allowing the attacker to perform actions with administrator privileges or steal sensitive information accessible to the administrator.

Mitigation Strategies

To mitigate this vulnerability, upgrade Kimai to version 2.53.0 or later, where the issue with incomplete escaping in the escapeForHtml() function has been fixed.

Additionally, restrict the ability to set profile aliases to trusted users only, and review any stored aliases for potentially malicious content.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40479. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart