CVE-2019-25317 MEDIUM

CVE-2019-25317: Kimai 2- persistent cross-site scripting (XSS)

Vendor Kevinpapst
Product Kimai
Weakness CWE-79 · XSS
Published February 11, 2026
Last update March 5, 2026

CVSS base score

5.1/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

What the vulnerability does

01Description

Kimai 2 contains a persistent cross-site scripting vulnerability that allows attackers to inject malicious scripts into timesheet descriptions. Attackers can insert SVG-based XSS payloads in the description field to execute arbitrary JavaScript when the page is loaded and viewed by other users.

Key dates

02Disclosure timeline

February 11, 2026 CVE published
March 5, 2026 Record updated