Back to list

Kimai vulnerable to formula Injection via tag names in XLSX export — CVE-2026-42267

GitHub · GitHub · CVE-2026-42267

ID
CVE-2026-42267
Date
Updated
Activity
Source
GitHub
Vendor
GitHub
Threat
medium
CVSS
5.4
EPSS
0.00047

Summary

## Summary Any `ROLE_USER` can create a tag with a formula string as its name (e.g. `=SUM(54+51)`) via `POST /api/tags` and assign it to a timesheet. When an admin exports timesheets to XLSX, `ArrayFormatter.formatValue()` joins tag names with `implode()` and returns the result unchanged. OpenSpout promotes any `=`-prefixed string to a `FormulaCell`, writing `<f>SUM(54+51)</f>` into the XLSX archive. Excel…

Product

composer: kimai/kimai

What to do

General, cautious steps (verify details in the official source):

  • Review exposure and plan remediation based on risk and environment.
  • Identify affected product versions in your inventory and verify whether you are impacted.
  • Apply vendor patches/updates or recommended mitigations as soon as available.
  • Read the official advisory for exact affected versions and remediation steps.

Official advisory

Related advisories

GitHub GitHub 2026-W20