CVE-2026-23626— Kimai Vulnerable to Authenticated Server-Side Template Injection (SSTI)
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-23626
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Kimai Vulnerable to Authenticated Server-Side Template Injection (SSTI)
Source: NVD (National Vulnerability Database)
Vulnerability Description
Kimai is a web-based multi-user time-tracking application. Prior to version 2.46.0, Kimai's export functionality uses a Twig sandbox with an overly permissive security policy (`DefaultPolicy`) that allows arbitrary method calls on objects available in the template context. An authenticated user with export permissions can deploy a malicious Twig template that extracts sensitive information including environment variables, all user password hashes, serialized session tokens, and CSRF tokens. Version 2.46.0 patches this issue.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
CWE-1336
Source: NVD (National Vulnerability Database)
Vulnerability Title
kimai 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
kimai是kimai个人开发者的一个基于网络的多用户时间跟踪应用程序。 kimai 2.46.0之前版本存在安全漏洞,该漏洞源于导出功能使用的Twig沙箱安全策略过于宽松,允许对模板上下文中的对象进行任意方法调用,可能导致提取敏感信息。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-23626
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-23626
请登录查看更多情报信息。
- Release 2.46 (#5757) · kimai/kimai@6a86afb · GitHubx_refsource_MISC
- https://nvd.nist.gov/vuln/detail/CVE-2026-23626
IV. Related Vulnerabilities
Same product: kimai
- CVE-2026-44298
Kimai: Arbitrary file read in invoice PDF renderer (admin) - CVE-2026-41498
Kimai: Team API Missing Object-Level Authorization - CVE-2026-42267
Kimai: Formula Injection via tag names in XLSX export - CVE-2026-40486
Kimai's User Preferences API allows standard users to modify - CVE-2026-40479
Kimai: Stored XSS via Incomplete HTML Attribute Escaping in
Same vendor: kimai
- CVE-2026-44298
Kimai: Arbitrary file read in invoice PDF renderer (admin) - CVE-2026-41498
Kimai: Team API Missing Object-Level Authorization - CVE-2026-42267
Kimai: Formula Injection via tag names in XLSX export - CVE-2026-40486
Kimai's User Preferences API allows standard users to modify - CVE-2026-40479
Kimai: Stored XSS via Incomplete HTML Attribute Escaping in
Same weakness: CWE-1336
- CVE-2026-44129
Server-side template injection - CVE-2026-44916
OpenStack Ironic 安全漏洞 - CVE-2026-42203
LiteLLM: Server-Side Template Injection in /prompts/test end - CVE-2026-6984
AstrBotDevs AstrBot Dashboard API t2i.py create_template spe - CVE-2026-34587
Kirby has Server-Side Template Injection (SSTI) via double t
V. Comments for CVE-2026-23626
No comments yet