平台
php
组件
kimai
修复版本
1.16.4
2.53.0
CVE-2026-40479 describes a stored Cross-Site Scripting (XSS) vulnerability in Kimai, a time tracking software. This vulnerability arises from an incomplete security patch intended to address a previous XSS issue. The flawed escapeForHtml() function fails to properly escape quotes, enabling attackers to inject malicious HTML attributes when user-supplied data is rendered within HTML contexts. Affected versions include those from 1.16.3 up to, but not including, version 2.53.0.
An attacker can exploit this XSS vulnerability by injecting malicious HTML attributes into the team member form, specifically within the title attribute. When this data is displayed through innerHTML, the browser interprets the injected HTML, potentially executing arbitrary JavaScript code in the context of the user's session. This could lead to account takeover, data theft (including sensitive time tracking information), or redirection to malicious websites. The impact is amplified if the Kimai instance is used within an organization, as a successful attack could compromise multiple user accounts and potentially gain access to internal resources.
This vulnerability was publicly disclosed on April 17, 2026. There is no indication of active exploitation at this time. No Proof-of-Concept (PoC) code has been publicly released. The vulnerability has not been added to the CISA KEV catalog. The CVSS score of 5.4 (Medium) suggests a moderate level of risk, warranting prompt remediation.
Organizations and individuals using Kimai time tracking software, particularly those running versions between 1.16.3 and 2.52.9, are at risk. Shared hosting environments where multiple Kimai instances reside on the same server are especially vulnerable, as a compromise of one instance could potentially impact others.
• php: Examine Kimai's KimaiEscape.js file for the incomplete escapeForHtml() function. Search for instances where user-supplied data is rendered within HTML attributes without proper escaping.
grep -r "escapeForHtml\(" /path/to/kimai/js/• generic web: Monitor Kimai application logs for unusual activity, particularly errors related to HTML parsing or rendering.
grep -i "html parsing error" /path/to/kimai/logs/error.logdisclosure
漏洞利用状态
EPSS
0.01% (1% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2026-40479 is to upgrade Kimai to version 2.53.0 or later, which contains the corrected escapeForHtml() function. If upgrading immediately is not feasible, consider implementing a Web Application Firewall (WAF) rule to filter out potentially malicious HTML attributes in the team member form. Specifically, look for patterns containing double quotes and single quotes within HTML attributes. Additionally, carefully review and sanitize all user-supplied data before rendering it in HTML contexts. After upgrading, verify the fix by attempting to inject a simple HTML attribute (e.g., <img src=x onerror=alert(1)>) in the team member form and confirming that it is properly escaped and does not execute.
Actualice Kimai a la versión 2.53.0 o posterior para mitigar la vulnerabilidad de XSS. Esta actualización corrige el problema de escape incompleto en la función `escapeForHtml()` que permite la inyección de atributos HTML.
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2026-40479 is a stored Cross-Site Scripting (XSS) vulnerability in Kimai, affecting versions 1.16.3 through 2.52.9. It arises from an incomplete security patch that fails to properly escape quotes, allowing attackers to inject malicious HTML.
You are affected if you are using Kimai versions 1.16.3 up to, but not including, version 2.53.0. Check your current version and upgrade if necessary.
Upgrade Kimai to version 2.53.0 or later to remediate the vulnerability. Consider implementing a WAF rule as a temporary workaround if immediate upgrading is not possible.
There is currently no indication of active exploitation of CVE-2026-40479.
Refer to the official Kimai security advisory for details and updates regarding CVE-2026-40479. Check the Kimai project website and GitHub repository for announcements.