CVE-2026-40486 Kimai's User Preferences API allows standard users to modify restricted attributes: hourly_rate, internal_rate

Kimai is an open-source time tracking application. In versions 2.52.0 and below, the User Preferences API endpoint PATCH /api/users/id/preferences applies submitted preference values without checking the isEnabled flag on preference objects. Although the hourlyrate and internalrate fields are...

CVE-2026-40486 Kimai's User Preferences API allows standard users to modify restricted attributes: hourly_rate, internal_rate

Kimai is an open-source time tracking application. In versions 2.52.0 and below, the User Preferences API endpoint PATCH /api/users/id/preferences applies submitted preference values without checking the isEnabled flag on preference objects. Although the hourlyrate and internalrate fields are...

CVE-2026-40486

Kimai CVE-2026-40486 affects the User Preferences API. In versions

GHSA-QH43-XRJM-4GGP Kimai's User Preferences API allows standard users to modify restricted attributes: hourly_rate, internal_rate

Summary A Mass Assignment / Broken Object Property Level Authorization BOPA vulnerability in the User Preferences API allows any authenticated user even those with the lowest privileges to arbitrarily modify restricted financial attributes on their profile, specifically their hourlyrate and...

Improperly Controlled Modification of Dynamically-Determined Object Attributes

Overview Affected versions of this package are vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes through the updateUserPreference process. An attacker can alter restricted financial attributes by sending crafted API requests to modify their own hourlyrat...

PT-2026-33218

Summary A Mass Assignment / Broken Object Property Level Authorization BOPA vulnerability in the User Preferences API allows any authenticated user even those with the lowest privileges to arbitrarily modify restricted financial attributes on their profile, specifically their hourly rate and...

CVE-2025-56571

Finance.js v4.1.0 contains a Denial of Service DoS vulnerability via the IRR function’s depth parameter. Improper handling of the recursion/iteration limit can lead to excessive CPU usage, causing application stalls or crashes...

Finance.js 安全漏洞

Finance.js is a JavaScript library for financial calculations by Essam B. Individual Developer. A security vulnerability exists in Finance.js version 4.1.0, which stems from improper handling of the depth parameter of the IRR function and could lead to a denial of service attack...

PT-2025-40041

Finance.js v4.1.0 contains a Denial of Service DoS vulnerability via the IRR function’s depth parameter. Improper handling of the recursion/iteration limit can lead to excessive CPU usage, causing application stalls or crashes...

CVE-2025-56571

Finance.js v4.1.0 is affected by a DoS via the IRR() function (depth parameter) and via seekZero(), causing excessive CPU usage that can stall or crash applications. The root cause is improper handling of recursion/iteration limits. Exploitation status is not detailed in the provided documents. R...

PT-2025-40000

Name of the Vulnerable Software and Affected Versions Finance.js versions 4.1.0 Description A flaw exists in Finance.js version 4.1.0 that can lead to a Denial of Service DoS. This occurs due to improper handling of recursion/iteration limits within the IRR function’s depth parameter, potentially...

Improper Certificate Validation

Overview Affected versions of this package are vulnerable to Improper Certificate Validation due to improper mTLS configuration handling. An attacker can exploit this misconfiguration to establish unauthorized connections to Redis instances that are intended to require client certificate...