Open-Source Time Tracking Application Vulnerability in Kimai
CVE-2026-42267

5.4MEDIUM

Key Information:

Vendor: Kimai
Status: Kimai
Vendor: CVE Published:; 8 May 2026

What is CVE-2026-42267?

The Kimai time tracking application allows users with a ROLE_USER to create tags with formula strings as names through the API. This vulnerability facilitates the potential for formula injection when exporting timesheets to XLSX. When an administrator exports the data, tags containing formulas can be evaluated by Excel, leading to unauthorized code execution. This exploit has been addressed in version 2.54.0, which mitigates the risk by ensuring that formula strings are not processed as Excel formulas.

Affected Version(s)

kimai >= 2.27.0, < 2.54.0

References

https://github.com/kimai/kimai/security/advisories/GHSA-3...

x_refsource_CONFIRM

https://github.com/kimai/kimai/releases/tag/2.54.0

x_refsource_MISC

CVSS V4

Score:

5.4

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 8, 2026
Vulnerability Reserved
Apr 26, 2026

CVE-2026-42267 Data

JSON