{"id":"CVE-2026-42267","summary":"Kimai: Formula Injection via tag names in XLSX export","details":"Kimai is an open-source time tracking application. From version 2.27.0 to before version 2.54.0, any ROLE_USER can create a tag with a formula string as its name (e.g. =SUM(54+51)) via POST /api/tags and assign it to a timesheet. When an admin exports timesheets to XLSX, ArrayFormatter.formatValue() joins tag names with implode() and returns the result unchanged. OpenSpout promotes any =-prefixed string to a FormulaCell, writing \u003cf\u003eSUM(54+51)\u003c/f\u003e into the XLSX archive. Excel evaluates the formula when the file is opened. This issue has been patched in version 2.54.0.","aliases":["GHSA-3xc2-h5r3-wv3r"],"modified":"2026-07-15T01:48:52.676809776Z","published":"2026-05-08T03:28:52.226Z","database_specific":{"cna_assigner":"GitHub_M","cwe_ids":["CWE-1236"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/42xxx/CVE-2026-42267.json"},"references":[{"type":"WEB","url":"https://github.com/kimai/kimai/releases/tag/2.54.0"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/42xxx/CVE-2026-42267.json"},{"type":"ADVISORY","url":"https://github.com/kimai/kimai/security/advisories/GHSA-3xc2-h5r3-wv3r"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42267"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/kimai/kimai","events":[{"introduced":"4332ef95a2074a4adcc42465c46328f240d66a66"},{"fixed":"d456cd3ce2ec5d2599d6cce9490f01f67332d77f"}],"database_specific":{"extracted_events":[{"introduced":"2.27.0"},{"fixed":"2.54.0"}],"source":["AFFECTED_FIELD","CPE_RANGE","REFERENCES"],"cpe":"cpe:2.3:a:kimai:kimai:*:*:*:*:*:*:*:*"}}],"versions":["2.53.0","2.52.0","2.51.0","2.50.0","2.49.0","2.48.0","2.47.0","2.46.0","2.45.0","2.44.0","2.43.0","2.42.0","2.41.0","2.40.0","2.39.0","2.38.0","2.37.0","2.36.1","2.36.0","2.35.1","2.35.0","2.34.0","2.33.0","2.32.0","2.31.0","2.30.0","2.29.0","2.28.0","2.27.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-42267.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P"}]}