CVE-2026-44298

Name of the Vulnerable Software and Affected Versions Kimai versions 2.32.0 through 2.55.x

Description Users with the System-Admin role (ROLE SYSTE ADMIN) and the upload invoice template permission can upload PDF invoice templates that execute pdfContext.setOption('associated files', ...) within the sandboxed Twig render. This request is forwarded to the SetAssociatedFiles() function of mPDF, which utilizes file get contents($entry['path']) during PDF output to embed bytes as a FlateDecode stream. Consequently, any file readable by the PHP worker can be retrieved by an attacker through the rendered invoice.

Recommendations Update Kimai to version 2.56.0.