#VU125972 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in kimai2 - CVE-2026-40479
Published: April 14, 2026
Vulnerability identifier: #VU125972
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-40479
CWE-ID: CWE-79
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
kimai2
kimai2
Software vendor:
Kevin Papst
Kevin Papst
Description
The vulnerability allows a remote user to execute arbitrary script in another user's browser.
The vulnerability exists due to cross-site scripting in the team member widget when rendering user-controlled profile alias data into an HTML attribute via innerHTML. A remote user can inject a specially crafted profile alias to execute arbitrary script in another user's browser.
User interaction is required, and the injected payload is stored in the user alias field and may execute in an administrator's browser session.
Remediation
Install security update from vendor's website.