Stored XSS Vulnerability in Kimai Time Tracking Application
CVE-2026-40479

5.4MEDIUM

Key Information:

Vendor: Kimai
Status: Kimai
Vendor: CVE Published:; 17 April 2026

What is CVE-2026-40479?

A vulnerability exists in the Kimai time tracking application, specifically in the escapeForHtml() function of KimaiEscape.js across versions 1.16.3 to 2.52.0. This issue arises from the failure to properly escape double quote and single quote characters when inserting user profile aliases into HTML attributes. Consequently, an authenticated user with ROLE_USER privileges can exploit this vulnerability by submitting a malicious alias. If an administrator views the team member form, JavaScript code can be executed in their browser, leading to the possibility of stored XSS and privilege escalation. The issue has been addressed in version 2.53.0, highlighting the importance of keeping applications up-to-date.

Affected Version(s)

kimai >= 1.16.3, < 2.53.0

References

https://github.com/kimai/kimai/security/advisories/GHSA-g...

x_refsource_CONFIRM

https://github.com/kimai/kimai/releases/tag/2.53.0

x_refsource_MISC

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 17, 2026
Vulnerability Reserved
Apr 13, 2026

CVE-2026-40479 Data

JSON