CVE-2026-28685
Kimai is a web-based multi-user time-tracking application. Prior to version 2.51.0, "GET /api/invoices/id" only checks the role-based viewinvoice permission but does not verify the requesting user has access to the invoice's customer. Any user with ROLETEAMLEAD which grants viewinvoice can read a...