Kimai - Open Source time-tracker Kimai
Start for free

Formula Injection via tag names in XLSX export

  1. Home
  2. Security
  3. Kimai Advisory CVE-2026-42267

Affected versions

  • Kimai versions >= 2.27.0, <= 2.53.0 are affected by this security issue
  • The issue has been fixed in Kimai 2.54.0
  • Severity: Medium
  • The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2026-42267 to this issue

Description

Kimai allowed any authenticated user (ROLE_USER) to create a tag whose name is a spreadsheet formula (for example =SUM(54+51)) and assign it to a timesheet. When an administrator later exported timesheets to XLSX, the formula was written into the file as a real formula cell and evaluated by Excel or LibreOffice Calc when the export was opened.

The XLSX export pipeline did not neutralize formula trigger characters in array-valued cells:

  • ArrayFormatter::formatValue() joined tag names with implode() and returned the result unchanged. Unlike TextFormatter, it never called StringHelper::sanitizeDDE().
  • Tag name validation in the API blocked commas but accepted =, +, - and @ — all valid formula prefixes in Excel and LibreOffice Calc.
  • OpenSpout silently promotes any string starting with = to a FormulaCell, so the exported XLSX contained <f>SUM(54+51)</f> instead of literal text.

Solution

Kimai now (1) rejects formula trigger characters in tag names and (2) uses TextCell for all strings, so that user-supplied content can no longer be promoted to formula cells during export.

Users should update to 2.54.0 or newer.

Credits

  • Reported by: satexd
  • Patched by: kevinpapst

First reported in GitHub advisory: GHSA-3xc2-h5r3-wv3r

Top