CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

GHSA-pj8j-p4g4-4vw8: Kimai has Server-Side Request Forgery in Invoice PDF Rendering via Markdown Image URLs

mediumCVE-2026-49865
Summary Kimai 2.56.0 contains a server-side request forgery vulnerability in its invoice PDF preview and generation workflow. If an attacker can control Markdown content that is later rendered into an invoice PDF, such as Customer.invoiceText, the server-side PDF renderer will fetch remote image URLs embedded in Markdown image syntax. This allows the application server to issue outbound requests to attacker-controlled or internal targets during PDF rendering. The behavior can be used for internal network probing, server-side reachability checks, and potentially follow-on exploitation depending on deployment environment and accessible internal services. Details The vulnerable behavior occurs in the invoice rendering chain when user-controlled Markdown is transformed into HTML and then rendered by mPDF. - First, customer invoice text is copied into the invoice model. . Second, the default PDF invoice template renders that field through the Markdown-to-HTML filter. - Third, md2html enables full Markdown rendering. - Although safe mode is enabled, the tested Markdown image syntax still survives into the rendered HTML chain in a form that causes the PDF renderer to fetch the image resource. - Finally, the HTML is handed to mPDF. The live test confirms that mPDF attempts to retrieve the remote image URL from the server side during PDF preview. This means the issue is not a template-injection problem but an SSRF condition caused by the rendering pipeline: - attacker-controlled Markdown - Markdown converted to HTML - HTML rendered by mPDF - mPDF fetches remote image resources from the server side *A PoC was provided, but removed for security reasons.* Impact This vulnerability allows an attacker who can influence invoice-rendered Markdown fields to cause the Kimai server to make outbound requests to arbitrary destinations. In real deployments, this can be used to probe internal services, test access to internal administrative or metadata endpoints, and confirm ser

Details

Source
GitHub Security Advisories (INTL · database · site)
Severity
medium
Published
2026-07-10
Last updated
2026-07-10
Exploitation
Not in CISA KEV at last sync

Original advisory: https://github.com/advisories/GHSA-pj8j-p4g4-4vw8

Referenced CVEs

CVECSIRTS overviewExternal
CVE-2026-49865coverage & exploitation statusNVD · CVE.org

More from GitHub Security Advisories