CVE-2026-40479

Name of the Vulnerable Software and Affected Versions Kimai (affected versions not specified)

Description An incomplete security patch in the client-side escapeForHtml() function within KimaiEscape.js allows for Stored Cross-Site Scripting (XSS). The function fails to escape double quotes (") and single quotes ('), which are essential for preventing injection in HTML attribute contexts. When user-controlled data, such as a profile alias, is placed in an HTML attribute like 'title=" DISPLAY "' and rendered using innerHTML, an attacker can perform HTML attribute injection. This can lead to privilege escalation, where a user with ROLE USER permissions executes scripts in the browser session of a user with ROLE ADMIN or ROLE SUPER ADMIN permissions.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.