CVE-2026-42267

Name of the Vulnerable Software and Affected Versions Kimai versions 2.27.0 through 2.53.x

Description Users with ROLE USER privileges can create a tag containing a formula string (such as =SUM(54+51)) via the 'POST /api/tags' endpoint and assign it to a timesheet. The ArrayFormatter.formatValue() function joins tag names using implode() without sanitization. Consequently, when an administrator exports timesheets to XLSX format, the OpenSpout library treats any string prefixed with = as a FormulaCell, writing it into the archive. This allows the formula to be evaluated by Excel when the file is opened. The issue stems from the ArrayFormatter failing to call sanitizeDDE() and the API permitting formula trigger characters like =, +, -, and @ in tag names.

Recommendations Update to version 2.54.0. As a temporary workaround, avoid creating tags that begin with =, +, -, or @ and restrict the use of the 'POST /api/tags' endpoint for untrusted users.