CVE-2025-15560

HIGH 8.8

SQL Injection in NesterSoft WorkTime

CVSS Score

8.8

EPSS Score

0.0%

EPSS Percentile

0th

An authenticated attacker with minimal permissions can exploit a SQL injection in the WorkTime server "widget" API endpoint to inject SQL queries. If the Firebird backend is used, attackers are able to retrieve all data from the database backend. If the MSSQL backend is used the attacker can execute arbitrary SQL statements on the database backend and gain access to sensitive data.

CWE	CWE-89
Vendor	nestersoft inc.
Product	worktime (on-prem/cloud)
Published	Feb 19, 2026
Last Updated	Feb 23, 2026

Stay Ahead of the Next One

Get instant alerts for nestersoft inc. worktime (on-prem/cloud)

Be the first to know when new high vulnerabilities affecting nestersoft inc. worktime (on-prem/cloud) are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

NesterSoft Inc. / WorkTime (on-prem/cloud)

<= 11.8.8

References

NVD ↗ CVE.org ↗ EPSS Data ↗

r.sec-consult.com: https://r.sec-consult.com/worktime

Credits

Tobias Niemann, SEC Consult Vulnerability Lab Daniel Hirschberger, SEC Consult Vulnerability Lab Thorger Jansen, SEC Consult Vulnerability Lab Marius Renner, SEC Consult Vulnerability Lab