CVE-2026-42267— Kimai: Formula Injection via tag names in XLSX export
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-42267
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Kimai: Formula Injection via tag names in XLSX export
Source: NVD (National Vulnerability Database)
Vulnerability Description
Kimai is an open-source time tracking application. From version 2.27.0 to before version 2.54.0, any ROLE_USER can create a tag with a formula string as its name (e.g. =SUM(54+51)) via POST /api/tags and assign it to a timesheet. When an admin exports timesheets to XLSX, ArrayFormatter.formatValue() joins tag names with implode() and returns the result unchanged. OpenSpout promotes any =-prefixed string to a FormulaCell, writing <f>SUM(54+51)</f> into the XLSX archive. Excel evaluates the formula when the file is opened. This issue has been patched in version 2.54.0.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
CWE-1236
Source: NVD (National Vulnerability Database)
Vulnerability Title
kimai 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
kimai是kimai个人开发者的一个基于网络的多用户时间跟踪应用程序。 kimai 2.27.0版本至2.54.0之前版本存在安全漏洞,该漏洞源于任何ROLE_USER可通过POST /api/tags创建带有公式字符串作为名称的标签并分配给时间表,当管理员将时间表导出为XLSX时,ArrayFormatter.formatValue()使用implode()连接标签名称并返回未更改结果,OpenSpout将任何以=为前缀的字符串提升为FormulaCell,Excel在打开文件时评估公式。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-42267
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-42267
请登录查看更多情报信息。
- Release 2.54.0 · kimai/kimai · GitHubx_refsource_MISC
- https://nvd.nist.gov/vuln/detail/CVE-2026-42267
Same Patch Batch · kimai · 2026-05-08 · 3 CVEs total
| CVE-2026-44298 | 4.1 MEDIUM | Kimai: Arbitrary file read in invoice PDF renderer (admin) |
| CVE-2026-41498 | 3.3 LOW | Kimai: Team API Missing Object-Level Authorization |
IV. Related Vulnerabilities
Same product: kimai
- CVE-2026-44298
Kimai: Arbitrary file read in invoice PDF renderer (admin) - CVE-2026-41498
Kimai: Team API Missing Object-Level Authorization - CVE-2026-40486
Kimai's User Preferences API allows standard users to modify - CVE-2026-40479
Kimai: Stored XSS via Incomplete HTML Attribute Escaping in - CVE-2026-28685
Kimai: API invoice endpoint missing customer-level access co
Same vendor: kimai
- CVE-2026-44298
Kimai: Arbitrary file read in invoice PDF renderer (admin) - CVE-2026-41498
Kimai: Team API Missing Object-Level Authorization - CVE-2026-40486
Kimai's User Preferences API allows standard users to modify - CVE-2026-40479
Kimai: Stored XSS via Incomplete HTML Attribute Escaping in - CVE-2026-28685
Kimai: API invoice endpoint missing customer-level access co
Same weakness: CWE-1236
- CVE-2026-27644
traccar allows CSV formula injection via exported position d - CVE-2023-54348
ERPGo SaaS 3.9 CSV Injection via Vendor Creation - CVE-2026-39424
MaxKB has CSV Injection in its Application Chat Export Funct - CVE-2026-24447
Movable Type 安全漏洞 - CVE-2025-67851
Moodle: moodle: formula injection allows arbitrary formula e
V. Comments for CVE-2026-42267
No comments yet