Project Management

In Kimai versions 2.52.0 and below a high severity vulnerability CVE-2026-40486 was detected. This vulnerability allows attackers with standard user accounts to modify restricted attributes such as hourly_rate and internal_rate via the User Preferences API, bypassing intended permission checks. This unauthorized financial tampering directly impacts invoice generation and timesheet calculations. To address this issue users must upgrade to version 2.53.0. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-40486.

In Kanboard versions prior to 1.2.51 a high severity vulnerability CVE-2026-29056 was detected. This vulnerability allows an attacker who receives a user invite link to inject `role=app-admin` during registration, creating an administrator account and escalating privileges. To address this issue, users should upgrade Kanboard to version 1.2.51. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-29056.

In Kanboard versions prior to 1.2.51 a high severity vulnerability CVE-2026-33058 was detected. This vulnerability allows attackers with permission to add users to a project to perform SQL injection and dump the entire Kanboard database. To address this issue, users should upgrade Kanboard to version 1.2.51. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-33058.

In Kimai versions prior to 2.51.0 a medium severity vulnerability CVE-2026-28685 was detected. This vulnerability allows attackers with ROLE_TEAMLEAD to access invoices belonging to customers they should not have permission to view due to missing customer-level access control in the API. To address this issue, users should upgrade Kimai to version 2.51.0 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-28685.

In Kanboard versions prior to 1.2.50 a medium severity vulnerability CVE-2026-25531 was identified. This vulnerability allows an authenticated user to duplicate tasks into projects they do not have access to because the TaskCreationController::duplicateProjects() endpoint does not properly validate user permissions for target projects. To address this issue, users should upgrade Kanboard to version 1.2.50. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-25531.

In Kanboard versions prior to 1.2.50 a medium severity vulnerability CVE-2026-25530 was detected. This vulnerability allows authenticated attackers to access swimlane data from projects they are not authorized to view due to a missing project-level authorization check in the `getSwimlane` API method. To address this issue, users should upgrade Kanboard to version 1.2.50 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-25530.

In Kanboard versions prior to 1.2.50 a medium severity vulnerability CVE-2026-24885 was detected. This vulnerability allows attackers to perform Cross-Site Request Forgery (CSRF) against the `changeUserRole` action in the `ProjectPermissionController` due to improper enforcement of the `application/json` Content-Type, potentially enabling unauthorized modification of project user roles if an authenticated administrator visits a malicious site. To address this issue, users should upgrade Kanboard to version 1.2.50 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-24885.

In Kimai versions prior to 2.46.0 a medium severity vulnerability CVE-2026-23626 was detected. This vulnerability allows authenticated attackers with export permissions to execute arbitrary method calls in malicious Twig templates, enabling the extraction of sensitive information such as environment variables, user password hashes, session tokens, and CSRF tokens. To address this issue, users should upgrade Kimai to version 2.46.0. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-23626.

In OpenProject versions from 11.2.1 to before 16.6.2 a medium severity vulnerability CVE-2026-22604 was detected. This vulnerability allows attackers to enumerate valid usernames by sending unauthenticated POST requests to the /account/change_password endpoint with arbitrary user IDs, which causes the application to disclose usernames in error responses. To address this issue, users should upgrade OpenProject to version 16.6.2. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-22604.