Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in kimai2 - CVE-2026-40479
Published: April 14, 2026
Vulnerability identifier: #VU125972
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-40479
CWE-ID: CWE-79
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Kevin Papst
Affected software:
kimai2
kimai2
Detailed vulnerability description
The vulnerability allows a remote user to execute arbitrary script in another user's browser.
The vulnerability exists due to cross-site scripting in the team member widget when rendering user-controlled profile alias data into an HTML attribute via innerHTML. A remote user can inject a specially crafted profile alias to execute arbitrary script in another user's browser.
User interaction is required, and the injected payload is stored in the user alias field and may execute in an administrator's browser session.
How to mitigate CVE-2026-40479
Install security update from vendor's website.