Kimai - Open Source time-tracker Kimai
Start for free

Stored XSS via incomplete HTML attribute escaping in Team-Member widget

  1. Home
  2. Security
  3. Kimai Advisory CVE-2026-40479

Affected versions

  • Kimai versions <= 2.52.0 are affected by this security issue
  • The issue has been fixed in Kimai 2.53.0
  • Severity: High
  • The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2026-40479 to this issue

Description

Kimai contained a stored cross-site scripting vulnerability in the team member widget. The client-side HTML escaping logic did not escape quote characters correctly, which allowed attacker-controlled profile data to break out of an HTML attribute context.

In affected versions, a malicious value stored in the user alias field could execute JavaScript when the generated markup was rendered in the browser.

This issue affected the escaping logic used for user-controlled content in HTML attributes.

  • The vulnerable code path escaped <, > and &, but not single or double quotes
  • The payload could be stored in profile data and later rendered in the team member widget
  • Exploitation could lead to stored XSS in privileged browser sessions
  • A low-privileged user could target administrators who viewed the affected UI

Solution

Usernames do not allow special characters, the generated HTML is sanitized and escaped.

Users should update to 2.53.0 or newer.

Credits

  • Reported by: wooseokdotkim
  • Patched by: kevinpapst

First reported in GitHub advisory: GHSA-g82g-m9vx-vhjg

Top