9 matches found
CVE-2026-44298
Kimai is an open-source time tracking application. From version 2.32.0 to before version 2.56.0, users with the role System-Admin ROLESYSTEADMIN and the permission uploadinvoicetemplate can upload PDF invoice templates, which can call pdfContext.setOption'associatedfiles', ... inside the sandboxe...
EUVD-2026-28517
Kimai has an arbitrary file read in its invoice PDF renderer admin...
kimai 路径遍历漏洞
Kimai is a web-based, multi-user time tracking application developed by Kimai’s individual developers. Versions of Kimai from 2.32.0 to 2.56.0 contained a path traversal vulnerability. This vulnerability occurred when system administrator users with the “uploadinvoicetemplate” permission uploaded...
Incomplete List of Disallowed Inputs
Overview Affected versions of this package are vulnerable to Incomplete List of Disallowed Inputs in the getApiToken method when rendering invoice templates via the Twig sandbox environment. An attacker can access hashed API tokens of users by embedding calls to this method in a custom invoice...
WordPress WooCommerce PDF Invoice Builder plugin missing license vulnerability
WordPress WooCommerce PDF Invoice Builder plugin is designed for WooCommerce e-commerce platform invoice and packing slip generation tool, support customized templates, multi-language, conditional generation and other features, to help merchants create professional documents in line with the bran...
GHSA-GF2C-93HM-R9J5 Cross-site Scripting in kimai2
kimai2 is vulnerable to Cross-Site Request Forgery CSRF in deleting invoice templates. This vulnerability is capable of tricking admin user to delete invoice templates...
Cross-site Scripting in kimai2
kimai2 is vulnerable to Cross-Site Request Forgery CSRF in deleting invoice templates. This vulnerability is capable of tricking admin user to delete invoice templates...
Cross-Site Request Forgery (CSRF)
kevinpapst/kimai2 is vulnerable to cross-site request forgery. An attacker can delete invoice templates through the deleteCommentAction function in CustomerController.php...
Cross-Site Request Forgery (CSRF) in kevinpapst/kimai2
Description CSRF in deleting invoice templates Proof of Concept CLICK ME! Impact This vulnerability is capable of tricking admin user to delete invoice templates...