54 matches found
CVE-2026-42267
Kimai vulnerability CVE-2026-42267 affects Kimai versions 2.27.0 through before 2.54.0. A user with ROLE_USER can create a tag whose name is a formula string (for example =SUM(54+51)) via POST /api/tags and attach it to a timesheet. When an admin exports to XLSX, ArrayFormatter.formatValue() conc...
CVE-2026-42267 Kimai: Formula Injection via tag names in XLSX export
Kimai is an open-source time tracking application. From version 2.27.0 to before version 2.54.0, any ROLEUSER can create a tag with a formula string as its name e.g. =SUM54+51 via POST /api/tags and assign it to a timesheet. When an admin exports timesheets to XLSX, ArrayFormatter.formatValue joi...
CVE-2026-40486
Kimai is an open-source time tracking application. In versions 2.52.0 and below, the User Preferences API endpoint PATCH /api/users/id/preferences applies submitted preference values without checking the isEnabled flag on preference objects. Although the hourlyrate and internalrate fields are...
CVE-2025-57681
The WorklogPRO - Timesheets for Jira plugin in Jira Data Center before version 4.23.6-jira10 and before version 4.23.5-jira9 allows users and attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting XSS vulnerability. The vulnerability is exploited via a specially crafted paylo...
CVE-2025-57681
The WorklogPRO - Timesheets for Jira plugin in Jira Data Center before version 4.23.6-jira10 and before version 4.23.5-jira9 allows users and attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting XSS vulnerability. The vulnerability is exploited via a specially crafted paylo...
PT-2026-3781
Name of the Vulnerable Software and Affected Versions WorklogPRO - Timesheets for Jira versions prior to 4.23.6-jira10 WorklogPRO - Timesheets for Jira versions prior to 4.23.5-jira9 Description The WorklogPRO - Timesheets for Jira plugin contains a flaw that allows the injection of arbitrary HTM...
CVE-2025-57681
The WorklogPRO - Timesheets for Jira plugin in Jira Data Center before version 4.23.6-jira10 and before version 4.23.5-jira9 allows users and attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting XSS vulnerability. The vulnerability is exploited via a specially crafted paylo...
Atlassian WorklogPRO – Jira Timesheets security vulnerabilities
Atlassian WorklogPRO - Timesheets for Jira is a time management plugin developed by the Australian company Atlassian. Vulnerabilities existed in versions of Atlassian WorklogPRO - Timesheets for Jira prior to 4.23.6-jira10 and 4.23.5-jira9. These vulnerabilities were due to the ability for users...
CVE-2025-57681
The WorklogPRO - Timesheets for Jira plugin in Jira Data Center before version 4.23.6-jira10 and before version 4.23.5-jira9 allows users and attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting XSS vulnerability. The vulnerability is exploited via a specially crafted paylo...
EUVD-2026-3658
The WorklogPRO - Timesheets for Jira plugin in Jira Data Center before version 4.23.6-jira10 and before version 4.23.5-jira9 allows users and attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting XSS vulnerability. The vulnerability is exploited via a specially crafted paylo...
CVE-2025-67824
The WorklogPRO - Jira Timesheets plugin in the Jira Data Center before 4.24.2-jira9, 4.24.2-jira10 and 4.24.2-jira11 allows attackers to inject arbitrary HTML or JavaScript via XSS. This is exploited via a crafted payload placed in the name of a filter. This code is executed in the browser when t...
Starware WorklogPRO – Jira Timesheets security vulnerabilities
The Starware WorklogPRO – Jira Timesheets is a time tracking plugin developed by The Starware company in Turkey. Versions of The Starware WorklogPRO – Jira Timesheets prior to 4.24.1-jira9, 4.24.1-jira10, and 4.24.1-jira11 contained security vulnerabilities. These vulnerabilities were caused by...
CVE-2025-67824
The WorklogPRO - Jira Timesheets plugin in the Jira Data Center before 4.24.2-jira9, 4.24.2-jira10 and 4.24.2-jira11 allows attackers to inject arbitrary HTML or JavaScript via XSS. This is exploited via a crafted payload placed in the name of a filter. This code is executed in the browser when t...
CVE-2025-67824
The WorklogPRO - Jira Timesheets plugin in the Jira Data Center before 4.24.2-jira9, 4.24.2-jira10 and 4.24.2-jira11 allows attackers to inject arbitrary HTML or JavaScript via XSS. This is exploited via a crafted payload placed in the name of a filter. This code is executed in the browser when t...
CVE-2025-67824
The CVE-2025-67824 entry concerns WorklogPRO - Jira Timesheets for Jira Data Center. Affected versions (pre-4.24.2-jira9, -jira10, -jira11) are vulnerable to Cross-Site Scripting (XSS) via a crafted payload in the name of a filter. The vulnerability is triggered when a user attempts to create a t...
EUVD-2025-27208
Malicious code in bioql PyPI...
CVE-2025-52049
In Frappe ErpNext v15.57.5, the function gettimesheetdetailrate at erpnext/projects/doctype/timesheet/timesheet.py is vulnerable to SQL Injection, which allows an attacker to extract all information from databases by injecting SQL query into the timelog parameter...
CVE-2025-42917
SAP HCM Approve Timesheets Fiori 2.0 application does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. This issue has a significant impact on the application's integrity, while confidentiality and availability remain unaffected...
CVE-2025-42917
SAP HCM Approve Timesheets Fiori 2.0 application does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. This issue has a significant impact on the application's integrity, while confidentiality and availability remain unaffected...
CVE-2025-42917
CVE-2025-42917 affects SAP HCM Approve Timesheets Fiori 2.0 application. The root cause is missing authorization checks for an authenticated user, enabling privilege escalation that compromises integrity while confidentiality and availability remain unaffected. The public sources describe the vul...