CNNVD-202601-2950 Information

Jan 18, 2026 cve

CNNVD ID

CNNVD-202601-2950

CVE-2026-23626

CNNVD Published: 2026-01-18

Description (Chinese)

kimai是kimai个人开发者的一个基于网络的多用户时间跟踪应用程序。 kimai 2.46.0之前版本存在安全漏洞，该漏洞源于导出功能使用的Twig沙箱安全策略过于宽松，允许对模板上下文中的对象进行任意方法调用，可能导致提取敏感信息。

Description (English)

kimai is a web-based multi-user time tracking application for kimai personal developers. There was a security loophole in the pre-kimai 2.46.0 version, which stemmed from the overly loose security strategy of the Twig sandbox used in the export function, which allowed for random calls to objects in the context of the template, which could lead to the extraction of sensitive information.

Hazard Level

High

Vulnerability Type

其他

Affected Vendor

个人开发者

Published

2026-01-18

Last Modified

2026-02-24

References

https://github.com/kimai/kimai/releases/tag/2.46.0 https://github.com/kimai/kimai/commit/6a86afb5fd79f6c1825060b87c09bd1909c2e86f https://github.com/kimai/kimai/pull/5757 https://github.com/kimai/kimai/security/advisories/GHSA-jg2j-2w24-54cg https://access.redhat.com/security/cve/cve-2026-23626

Share on: