NIXPKGS-2026-0044

published on 19 Jan 2026

CVE-2026-23626

updated 3 days, 2 hours ago by @LeSuisse Activity log

Created automatic suggestion 3 days, 18 hours ago
@LeSuisse accepted as draft 3 days, 2 hours ago
@LeSuisse published on GitHub 3 days, 2 hours ago

Kimai Vulnerable to Authenticated Server-Side Template Injection (SSTI)

Kimai is a web-based multi-user time-tracking application. Prior to version 2.46.0, Kimai's export functionality uses a Twig sandbox with an overly permissive security policy (`DefaultPolicy`) that allows arbitrary method calls on objects available in the template context. An authenticated user with export permissions can deploy a malicious Twig template that extracts sensitive information including environment variables, all user password hashes, serialized session tokens, and CSRF tokens. Version 2.46.0 patches this issue.

Affected products

kimai

==< 2.46.0

Matching in nixpkgs

pkgs.kimai

Web-based multi-user time-tracking application

nixos-unstable 2.43.0
- nixpkgs-unstable 2.43.0
- nixos-unstable-small 2.43.0
nixos-25.05 2.33.0
- nixos-25.05-small 2.33.0
- nixpkgs-25.05-darwin 2.33.0

Package maintainers: 1

@peat-psuwit Ratchanan Srirattanamet <peat@peat-network.xyz>

Nixpkgs Security Tracker

Details of issue NIXPKGS-2026-0044

Affected products

Matching in nixpkgs

pkgs.kimai

Package maintainers: 1