Wiz
Vulnerability DatabaseCVE-2026-40479

CVE-2026-40479
PHP vulnerability analysis and mitigation

Summary

The client-side escapeForHtml() function in KimaiEscape.js, introduced in commit 89bfa82c (#2959) to fix a JavaScript XSS vulnerability, only escapes <, >, and & but does not escape " (double quote) or ' (single quote). When user-controlled data (profile alias) is placed in an HTML attribute context (title="__DISPLAY__") via the team member form prototype and rendered through innerHTML, the missing quote escaping allows HTML attribute injection, resulting in Stored XSS.

Details

Incomplete security patch. The escapeForHtml() function was meant to prevent XSS but missed quote characters, which are critical for HTML attribute context escaping. Vulnerable codeassets/js/plugins/KimaiEscape.js:29-33:

const tagsToReplace = {
    '&': '&amp;',
    '<': '&lt;',
    '>': '&gt;',
    // MISSING: '"': '&quot;'
    // MISSING: "'": '&#039;'
};

Affected code files:

  • assets/js/plugins/KimaiEscape.js:24-38 — incomplete escape function
  • assets/js/forms/KimaiTeamForm.js:77,86 — replacement + innerHTML
  • templates/macros/widgets.html.twig:126title="{{ tooltip }}" in avatar macro
  • templates/form/blocks.html.twig:104{{ widgets.avatar('__INITIALS__', '__COLOR__', '__DISPLAY__') }}

PoC

poc.zip Please extract the uploaded compressed file before proceeding

  1. ./setup.sh
  2. ./poc_xss.sh

스크린샷 2026-04-07 오후 9 06 27

Impact

  • Stored XSS: payload persists in the database (user alias field)
  • Privilege escalation: ROLE_USER injects XSS that executes in ROLE_ADMIN/ROLE_SUPER_ADMIN browser session

SourceNVD

Related PHP vulnerabilities:

CVE ID

Severity

Score

Technologies

Component name

CISA KEV exploit

Has fix

Published date

CVE-2026-40261HIGH8.8
  • PHPPHP
  • composer
NoYesApr 15, 2026
CVE-2026-40176HIGH7.8
  • PHPPHP
  • composer
NoYesApr 15, 2026
GHSA-xp4f-g2cm-rhg7MEDIUM6.9
  • PHPPHP
  • pocketmine/pocketmine-mp
NoYesApr 15, 2026
CVE-2026-40479MEDIUM5.4
  • PHPPHP
  • kimai/kimai
NoYesApr 15, 2026
CVE-2026-40486MEDIUM4.3
  • PHPPHP
  • kimai/kimai
NoYesApr 15, 2026

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

Cloud Threat Landscape

A threat intelligence database

PEACH

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management
Get a demo