Nixpkgs security tracker
NIXPKGS-2026-1158
GitHub issue
published on
Permalink
CVE-2026-40479
5.4 MEDIUM
- CVSS version: 3.1
- Attack vector (AV): NETWORK
- Attack complexity (AC): LOW
- Privileges required (PR): LOW
- User interaction (UI): REQUIRED
- Scope (S): CHANGED
- Confidentiality impact (C): LOW
- Integrity impact (I): LOW
- Availability impact (A): NONE
by @LeSuisse Activity log
- Created suggestion
- @LeSuisse accepted
- @LeSuisse published on GitHub
Kimai: Stored XSS via Incomplete HTML Attribute Escaping in Team Member Widget
Kimai is an open-source time tracking application. In versions 1.16.3 through 2.52.0, the escapeForHtml() function in KimaiEscape.js does not escape double quote or single quote characters. When a user's profile alias is inserted into an HTML attribute context via the team member form prototype and rendered through innerHTML, this incomplete escaping allows HTML attribute injection. An authenticated user with ROLE_USER privileges can store a malicious alias that executes JavaScript in the browser of any administrator viewing the team form, resulting in stored XSS with privilege escalation. This issue has been fixed in version 2.53.0.
References
-
https://github.com/kimai/kimai/security/advisories/GHSA-g82g-m9vx-vhjg x_refsource_CONFIRM
Ignored references (1)
-
https://github.com/kimai/kimai/releases/tag/2.53.0 x_refsource_MISC
Affected products
kimai
- ==>= 1.16.3, < 2.53.0
Package maintainers
-
@peat-psuwit Ratchanan Srirattanamet <peat@peat-network.xyz>