1. Home
2. Security
3. Kimai Advisory CVE-2026-42267

Affected versions

• Affected versions: >= 2.27.0, <= 2.53.0
• Patched version: 2.54.0
• Advisory published: 26 Apr 2026

Severity

Severity: Medium

The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2026-42267 to this issue.

Vulnerability

Kimai allowed any authenticated user (ROLE_USER) to create a tag whose name is a spreadsheet formula (for example =SUM(54+51)) and assign it to a timesheet. When an administrator later exported timesheets to XLSX, the formula was written into the file as a real formula cell and evaluated by Excel or LibreOffice Calc when the export was opened.

Info

This issue affected Kimai versions >= 2.27.0, <= 2.53.0.

The XLSX export pipeline did not neutralize formula trigger characters in array-valued cells:

• ArrayFormatter::formatValue() joined tag names with implode() and returned the result unchanged. Unlike TextFormatter, it never called StringHelper::sanitizeDDE().
• Tag name validation in the API blocked commas but accepted =, +, - and @ — all valid formula prefixes in Excel and LibreOffice Calc.
• OpenSpout silently promotes any string starting with = to a FormulaCell, so the exported XLSX contained <f>SUM(54+51)</f> instead of literal text.

The vulnerability has been classified as CWE-1236 — Improper Neutralization of Formula Elements in a CSV File and assigned CVE-2026-42267.

Solution

The fix rejects formula trigger characters in tag names and routes string values through TextCell so that user-supplied strings can no longer be promoted to formula cells during export.

Users should update to 2.54.0 or newer.

Credits

• Reported by: satexd
• Patched by: kevinpapst

First reported in GitHub advisory: GHSA-3xc2-h5r3-wv3r