Kevin Papst

10 exploits Active since Nov 2021
CVE-2026-28685 WRITEUP MEDIUM WRITEUP
Kimai <2.51.0 - Privilege Escalation
Kimai is a web-based multi-user time-tracking application. Prior to version 2.51.0, "GET /api/invoices/{id}" only checks the role-based view_invoice permission but does not verify the requesting user has access to the invoice's customer. Any user with ROLE_TEAMLEAD (which grants view_invoice) can read all invoices in the system, including those belonging to customers assigned to other teams. This issue has been patched in version 2.51.0.
CVSS 6.5
CVE-2021-3957 WRITEUP MEDIUM WRITEUP
Kimai2 < 1.16.2 - Cross-Site Request Forgery
kimai2 is vulnerable to Cross-Site Request Forgery (CSRF)
CVSS 4.3
CVE-2021-3963 WRITEUP MEDIUM WRITEUP
Kimai2 < 1.16.2 - Cross-Site Request Forgery
kimai2 is vulnerable to Cross-Site Request Forgery (CSRF)
CVSS 4.3
CVE-2021-3976 WRITEUP MEDIUM WRITEUP
Kimai2 < 1.16.2 - Cross-Site Request Forgery
kimai2 is vulnerable to Cross-Site Request Forgery (CSRF)
CVSS 6.5
CVE-2021-3983 WRITEUP MEDIUM WRITEUP
kimai2 < 1.16.3 - Stored Cross-Site Scripting
kimai2 is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSS 6.1
CVE-2021-3985 WRITEUP CRITICAL WRITEUP
kimai2 < 1.16.3 - Stored Cross-Site Scripting
kimai2 is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSS 9.0
CVE-2021-3992 WRITEUP MEDIUM WRITEUP
kimai2 < 1.16.2 - Improper Access Control
kimai2 is vulnerable to Improper Access Control
CVSS 6.5
CVE-2021-43515 WRITEUP HIGH WRITEUP
Kimai < 1.14.1 - CSV Injection via Timesheet Description Field
CSV Injection (aka Excel Macro Injection or Formula Injection) exists in creating new timesheet in Kimai. By filling the Description field with malicious payload, it will be mistreated while exporting to a CSV file.
CVSS 7.8
CVE-2023-46245 WRITEUP HIGH WRITEUP
Kimai < 2.1.0 - Server-Side Template Injection and Remote Code Execution via Twig File Upload
Kimai is a web-based multi-user time-tracking application. Versions prior to 2.1.0 are vulnerable to a Server-Side Template Injection (SSTI) which can be escalated to Remote Code Execution (RCE). The vulnerability arises when a malicious user uploads a specially crafted Twig file, exploiting the software's PDF and HTML rendering functionalities. Version 2.1.0 enables security measures for custom Twig templates.
CVSS 7.2
CVE-2026-23626 WRITEUP MEDIUM WRITEUP
Kimai < 2.46.0 - Authenticated Information Disclosure via Twig Template Injection
Kimai is a web-based multi-user time-tracking application. Prior to version 2.46.0, Kimai's export functionality uses a Twig sandbox with an overly permissive security policy (`DefaultPolicy`) that allows arbitrary method calls on objects available in the template context. An authenticated user with export permissions can deploy a malicious Twig template that extracts sensitive information including environment variables, all user password hashes, serialized session tokens, and CSRF tokens. Version 2.46.0 patches this issue.
CVSS 6.8