Description
Kimai is an open-source time tracking application. In versions 1.16.3 through 2.52.0, the escapeForHtml() function in KimaiEscape.js does not escape double quote or single quote characters. When a user's profile alias is inserted into an HTML attribute context via the team member form prototype and rendered through innerHTML, this incomplete escaping allows HTML attribute injection. An authenticated user with ROLE_USER privileges can store a malicious alias that executes JavaScript in the browser of any administrator viewing the team form, resulting in stored XSS with privilege escalation. This issue has been fixed in version 2.53.0.
Published: 2026-04-17
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored XSS – Privilege Escalation
Action: Patch
AI Analysis

Impact

Kimai versions between 1.16.3 and 2.52.0 contain a flaw where the escapeForHtml() function fails to escape double and single quote characters. When an authenticated user with standard ROLE_USER privileges sets a malicious profile alias that includes quotes, the alias is rendered inside an HTML attribute via innerHTML, enabling the injected script to execute in the browsers of administrators who view the team member form. The vulnerability allows stored cross‑site scripting with privilege escalation, giving a lower‑privileged user the ability to run arbitrary JavaScript as an administrator.

Affected Systems

The affected product is Kimai. All releases from version 1.16.3 through 2.52.0 are vulnerable. The defect was eliminated in version 2.53.0, which correctly escapes quotes in the alias field.

Risk and Exploitability

The CVSS score is 5.4, indicating a moderate severity vulnerability. Exploitation requires a logged‑in user with ability to edit their own profile alias, and the script runs in the browser context of any administrator viewing the team form. The EPSS score is not available, and the vulnerability is not listed in CISA KEV. While publicly documented, no active exploits have been reported beyond the advisory. The risk remains for any organization still running the vulnerable range of Kimai releases.

Generated by OpenCVE AI on April 18, 2026 at 08:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Kimai to version 2.53.0 or newer where the HTML attribute escaping has been corrected.
  • Ensure that any existing profile aliases contain no characters that could be interpreted as HTML or script – verify that no quotes or script tags exist in stored aliases.
  • After applying the patch, review the team member form for visual confirmation that malicious aliases no longer execute, and regenerate or delete any compromised content.

Generated by OpenCVE AI on April 18, 2026 at 08:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-g82g-m9vx-vhjg Kimai has Stored XSS via Incomplete HTML Attribute Escaping in Team Member Widget
History

Mon, 20 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 17 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
First Time appeared Kimai
Kimai kimai
Vendors & Products Kimai
Kimai kimai

Fri, 17 Apr 2026 22:45:00 +0000

Type Values Removed Values Added
Description Kimai is an open-source time tracking application. In versions 1.16.3 through 2.52.0, the escapeForHtml() function in KimaiEscape.js does not escape double quote or single quote characters. When a user's profile alias is inserted into an HTML attribute context via the team member form prototype and rendered through innerHTML, this incomplete escaping allows HTML attribute injection. An authenticated user with ROLE_USER privileges can store a malicious alias that executes JavaScript in the browser of any administrator viewing the team form, resulting in stored XSS with privilege escalation. This issue has been fixed in version 2.53.0.
Title Kimai: Stored XSS via Incomplete HTML Attribute Escaping in Team Member Widget
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Kimai Kimai
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-20T16:16:41.880Z

Reserved: 2026-04-13T19:50:42.113Z

Link: CVE-2026-40479

cve-icon Vulnrichment

Updated: 2026-04-20T16:09:43.032Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-17T23:16:12.317

Modified: 2026-04-20T19:03:07.607

Link: CVE-2026-40479

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T09:00:05Z

Weaknesses