Publish Advisories

GHSA-g82g-m9vx-vhjg
GHSA-mj87-hwqh-73pj
GHSA-qh43-xrjm-4ggp
GHSA-r4v4-5mwr-2fwr
GHSA-xjw8-8c5c-9r79

Author: advisory-database[bot]

advisories/github-reviewed/2026/04/GHSA-g82g-m9vx-vhjg/GHSA-g82g-m9vx-vhjg.json

@@ -0,0 +1,65 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-g82g-m9vx-vhjg",
+  "modified": "2026-04-15T19:46:35Z",
+  "published": "2026-04-15T19:46:35Z",
+  "aliases": [
+    "CVE-2026-40479"
+  ],
+  "summary": "Kimai has Stored XSS via Incomplete HTML Attribute Escaping in Team Member Widget",
+  "details": "### Summary\nThe client-side `escapeForHtml()` function in `KimaiEscape.js`, introduced in commit `89bfa82c` (#2959) to fix a JavaScript XSS vulnerability, only escapes `<`, `>`, and `&` but does not escape `\"` (double quote) or `'` (single quote). When user-controlled data (profile alias) is placed in an HTML attribute context (`title=\"__DISPLAY__\"`) via the team member form prototype and rendered through `innerHTML`, the missing quote escaping allows HTML attribute injection, resulting in Stored XSS.\n\n### Details\nIncomplete security patch. The `escapeForHtml()` function was meant to prevent XSS but missed quote characters, which are critical for HTML attribute context escaping.\n\n**Vulnerable code** — `assets/js/plugins/KimaiEscape.js:29-33`:\n```javascript\nconst tagsToReplace = {\n    '&': '&amp;',\n    '<': '&lt;',\n    '>': '&gt;',\n    // MISSING: '\"': '&quot;'\n    // MISSING: \"'\": '&#039;'\n};\n```\n\n**Affected code files**:\n- `assets/js/plugins/KimaiEscape.js:24-38` — incomplete escape function\n- `assets/js/forms/KimaiTeamForm.js:77,86` — replacement + innerHTML\n- `templates/macros/widgets.html.twig:126` — `title=\"{{ tooltip }}\"` in avatar macro\n- `templates/form/blocks.html.twig:104` — `{{ widgets.avatar('__INITIALS__', '__COLOR__', '__DISPLAY__') }}`\n\n### PoC\n[poc.zip](https://github.com/user-attachments/files/26537515/poc.zip)\n\nPlease extract the uploaded compressed file before proceeding\n\n1. ./setup.sh\n2. ./poc_xss.sh\n\n<img width=\"751\" height=\"155\" alt=\"스크린샷 2026-04-07 오후 9 06 27\" src=\"https://github.com/user-attachments/assets/c09a23fb-f60b-49dd-9018-8c723e35b4c4\" />\n\n### Impact\n- Stored XSS: payload persists in the database (user alias field)\n- Privilege escalation: ROLE_USER injects XSS that executes in ROLE_ADMIN/ROLE_SUPER_ADMIN browser session",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "kimai/kimai"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "2.53.0"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/kimai/kimai/security/advisories/GHSA-g82g-m9vx-vhjg"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/kimai/kimai/pull/2959"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/kimai/kimai"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/kimai/kimai/releases/tag/2.53.0"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-15T19:46:35Z",
+    "nvd_published_at": null
+  }
+}

advisories/github-reviewed/2026/04/GHSA-mj87-hwqh-73pj/GHSA-mj87-hwqh-73pj.json

@@ -0,0 +1,62 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-mj87-hwqh-73pj",
+  "modified": "2026-04-15T19:45:44Z",
+  "published": "2026-04-15T19:45:44Z",
+  "aliases": [
+    "CVE-2026-40347"
+  ],
+  "summary": "python-multipart affected by Denial of Service via large multipart preamble or epilogue data",
+  "details": "### Summary\n\nA denial of service vulnerability exists when parsing crafted `multipart/form-data` requests with large preamble or epilogue sections.\n\n### Details\n\nTwo inefficient multipart parsing paths could be abused with attacker-controlled input.\n\nBefore the first multipart boundary, the parser handled leading CR and LF bytes inefficiently while searching for the start of the first part. After the closing boundary, the parser continued processing trailing epilogue data instead of discarding it immediately. As a result, parsing time could grow with the size of crafted data placed before the first boundary or after the closing boundary.\n\n### Impact\n\nAn attacker can send oversized malformed multipart bodies that consume excessive CPU time during request parsing, reducing request-handling capacity and delaying legitimate requests. This issue degrades availability but does not typically result in a complete denial of service for the entire application.\n\n### Mitigation\n\nUpgrade to version `0.0.26` or later, which skips ahead to the next boundary candidate when processing leading CR/LF data and immediately discards epilogue data after the closing boundary.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "PyPI",
+        "name": "python-multipart"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "0.0.26"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/Kludex/python-multipart/security/advisories/GHSA-mj87-hwqh-73pj"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/Kludex/python-multipart"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/Kludex/python-multipart/releases/tag/0.0.26"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-400",
+      "CWE-834"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-15T19:45:44Z",
+    "nvd_published_at": null
+  }
+}

advisories/github-reviewed/2026/04/GHSA-qh43-xrjm-4ggp/GHSA-qh43-xrjm-4ggp.json

@@ -0,0 +1,60 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-qh43-xrjm-4ggp",
+  "modified": "2026-04-15T19:46:45Z",
+  "published": "2026-04-15T19:46:45Z",
+  "aliases": [
+    "CVE-2026-40486"
+  ],
+  "summary": "Kimai's User Preferences API allows standard users to modify restricted attributes: hourly_rate, internal_rate",
+  "details": "### Summary\nA Mass Assignment / Broken Object Property Level Authorization (BOPA) vulnerability in the User Preferences API allows any authenticated user (even those with the lowest privileges) to arbitrarily modify restricted financial attributes on their profile, specifically their `hourly_rate` and `internal_rate`.\n\n### Details\nKimai restrictively protects the `hourly_rate` and `internal_rate` parameters during standard GUI flow. Users lacking the `hourly-rate` role permissions cannot see or edit these fields via the standard Web Form (`UserApiEditForm` / `UserEditType`). \n\nThe vulnerability exists in the dedicated preferences API endpoint: `src/API/UserController.php::updateUserPreference`.\n\nWhen a `PATCH` request is sent to `/api/users/{id}/preferences`, the endpoint iterates through the submitted JSON array and blindly applies the new values:\n```php\nforeach ($request->request->all() as $preference) {\n    // ... validation omitted ...\n    if (null === ($meta = $profile->getPreference($name))) {\n        throw $this->createNotFoundException(\\sprintf('Unknown custom-field \"%s\" requested', $name));\n    }\n\n    $meta->setValue($value); // <-- VULNERABILITY\n}\n```\n\nThe underlying Role-Based Access Control logic (`UserPreferenceSubscriber::getDefaultPreferences`) accurately identifies that standard users lack the `hourly-rate` role, and flags the dynamically generated preference object as disabled (`$preference->setEnabled(false)`). \n\nHowever, the `updateUserPreference` API endpoint entirely ignores this `isEnabled()` flag and forcefully saves the mutated object to the database natively via Doctrine ORM. This allows unauthorized accounts to manipulate the business-logic variables calculating their own financial earnings.\n\n### PoC\n1. Log into Kimai as an unprivileged, standard employee account (a user with absolutely no `roles` array privileges). \n2. Capture the `cookie` or Session cookies. (In this example, the user's ID is `2`).\n3. Send the following cURL request (or intercept via Burp Suite) targeting your own user ID:\n\n```bash\ncurl -i -X PATCH \"http://localhost:8001/api/users/2/preferences\" \\\n  -H \"Content-Type: application/json\" \\\n  -H \"cookie: <YOUR_STANDARD_USER_TOKEN>\" \\\n  -d '[\n  {\n    \"name\": \"hourly_rate\",\n    \"value\": \"1337\"\n  },\n  {\n    \"name\": \"internal_rate\",\n    \"value\": \"1337\"\n  }\n]'\n```\n\n4. The server responds with `HTTP/1.1 200 OK`. (Note: The `hourly_rate` will intentionally NOT appear in the JSON echo due to `User::getVisiblePreferences` sanitizing output based on the same disabled flag).\n5. If an Administrator organically views User 2's profile within Kimai, or if the user logs any new timesheets, the active and billed `hourly_rate` applied to their account will be confirmed as `1337`.\n<img width=\"1542\" height=\"1039\" alt=\"user_account\" src=\"https://github.com/user-attachments/assets/fff5e2da-d598-408d-8a01-784499ade844\" />\n<img width=\"1539\" height=\"1037\" alt=\"admin_account\" src=\"https://github.com/user-attachments/assets/86a6e8c3-a97f-4be3-9f9f-2e23fad1d8a0\" />\n\n### Impact\nThis is a Privilege Escalation and Business Logic Flaw impacting the core financial calculations of the application. An attacker with a standard user account can manipulate their own billing rate multipliers unbeknownst to administrators, resulting in fraudulent invoices, distorted timesheet exports, and unauthorized financial tampering.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "kimai/kimai"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "2.53.0"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 2.52.0"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/kimai/kimai/security/advisories/GHSA-qh43-xrjm-4ggp"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/kimai/kimai"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-915"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-15T19:46:45Z",
+    "nvd_published_at": null
+  }
+}

advisories/github-reviewed/2026/04/GHSA-r4v4-5mwr-2fwr/GHSA-r4v4-5mwr-2fwr.json

@@ -0,0 +1,105 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-r4v4-5mwr-2fwr",
+  "modified": "2026-04-15T19:46:04Z",
+  "published": "2026-04-15T19:46:04Z",
+  "aliases": [
+    "CVE-2026-40477"
+  ],
+  "summary": "Improper restriction of the scope of accessible objects in Thymeleaf expressions",
+  "details": "### Impact\nA security bypass vulnerability exists in the expression execution mechanisms of Thymeleaf up to and including 3.1.3.RELEASE. Although the library provides mechanisms to prevent expression injection, it fails to properly restrict the scope of accessible objects, allowing specific potentially sensitive objects to be reached from within a template. If an application developer passes unvalidated user input directly to the template engine, an unauthenticated remote attacker can bypass the library's protections to achieve Server-Side Template Injection (SSTI).\n\n### Patches\nThis has been fixed in Thymeleaf 3.1.4.RELEASE.\n\n### Workarounds\nNo workaround is available beyond ensuring applications do not pass unvalidated user input directly to the template engine. Upgrading to 3.1.4.RELEASE is strongly recommended in any case.\n\n\n### Credits\nThanks to Thomas Reburn (Praetorian) for responsible disclosure.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "org.thymeleaf:thymeleaf"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "3.1.4.RELEASE"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 3.1.3.RELEASE"
+      }
+    },
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "org.thymeleaf:thymeleaf-spring5"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "3.1.4.RELEASE"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 3.1.3.RELEASE"
+      }
+    },
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "org.thymeleaf:thymeleaf-spring6"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "3.1.4.RELEASE"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 3.1.3.RELEASE"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/thymeleaf/thymeleaf/security/advisories/GHSA-r4v4-5mwr-2fwr"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/thymeleaf/thymeleaf"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-1336",
+      "CWE-917"
+    ],
+    "severity": "CRITICAL",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-15T19:46:04Z",
+    "nvd_published_at": null
+  }
+}