Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools

Kimai

Source -

CNA

CNA CVEs -

4

ADP CVEs -

0

CISA CVEs -

0

NVD CVEs -

0
Related CVEsRelated VendorsRelated AssignersReports
4Vulnerabilities found
CVE-2019-25317
Assigner-VulnCheck
ShareView Details
Assigner-VulnCheck
CVSS Score-5.1||MEDIUM
EPSS-0.01% / 1.15%
||
7 Day CHG~0.00%
Published-11 Feb, 2026 | 14:56
Updated-05 Mar, 2026 | 01:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Kimai 2- persistent cross-site scripting (XSS)

Kimai 2 contains a persistent cross-site scripting vulnerability that allows attackers to inject malicious scripts into timesheet descriptions. Attackers can insert SVG-based XSS payloads in the description field to execute arbitrary JavaScript when the page is loaded and viewed by other users.

Action-Not Available
Vendor-kimaikevinpapst
Product-kimaiKimai
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-53957
Assigner-VulnCheck
ShareView Details
Assigner-VulnCheck
CVSS Score-8.5||HIGH
EPSS-0.15% / 35.00%
||
7 Day CHG~0.00%
Published-19 Dec, 2025 | 21:05
Updated-07 Apr, 2026 | 14:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Kimai 1.30.10 SameSite Cookie Vulnerability Session Hijacking

Kimai 1.30.10 contains a SameSite cookie vulnerability that allows attackers to steal user session cookies through malicious exploitation. Attackers can trick victims into executing a crafted PHP script that captures and writes session cookie information to a file, enabling potential session hijacking.

Action-Not Available
Vendor-kimaiKimai
Product-kimaiKimai
CWE ID-CWE-1275
Sensitive Cookie with Improper SameSite Attribute
CVE-2013-10033
Assigner-VulnCheck
ShareView Details
Assigner-VulnCheck
CVSS Score-9.3||CRITICAL
EPSS-69.55% / 98.68%
||
7 Day CHG+2.91%
Published-31 Jul, 2025 | 14:56
Updated-07 Apr, 2026 | 14:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Kimai 0.9.2 db_restore.php SQL Injection

An unauthenticated SQL injection vulnerability exists in Kimai version 0.9.2.x via the db_restore.php endpoint. The flaw allows attackers to inject arbitrary SQL queries into the dates[] POST parameter, enabling file write via INTO OUTFILE under specific environmental conditions. This can lead to remote code execution by writing a PHP payload to the web-accessible temporary directory. The vulnerability has been confirmed in versions including 0.9.2.beta, 0.9.2.1294.beta, and 0.9.2.1306-3.

Action-Not Available
Vendor-Kimai Project
Product-Kimai
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2024-4596
Assigner-VulDB
ShareView Details
Assigner-VulDB
CVSS Score-3.7||LOW
EPSS-0.26% / 49.24%
||
7 Day CHG~0.00%
Published-07 May, 2024 | 15:31
Updated-10 Oct, 2025 | 18:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Kimai Session information disclosure

A vulnerability was found in Kimai up to 2.15.0 and classified as problematic. Affected by this issue is some unknown functionality of the component Session Handler. The manipulation of the argument PHPSESSIONID leads to information disclosure. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. Upgrading to version 2.16.0 is able to address this issue. It is recommended to upgrade the affected component. VDB-263318 is the identifier assigned to this vulnerability.

Action-Not Available
Vendor-kimain/a
Product-kimaiKimai
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor