CVE-2025-59920
SQL injection in time@work from systems@work
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
9th
When hours are entered in time@work, version 7.0.5, it performs a query to display the projects assigned to the user. If the query URL is copied and opened in a new browser window, the ‘IDClient’ parameter is vulnerable to a blind authenticated SQL injection. If the request is made with the TWAdmin user with the sysadmin role enabled, exploiting the vulnerability will allow commands to be executed on the system; if the user does not belong to the sysadmin role, they will still be able to query data from the database.
| CWE | CWE-89 |
| Vendor | systems at work |
| Product | time at work |
| Published | Feb 18, 2026 |
| Last Updated | Feb 18, 2026 |
Stay Ahead of the Next One
Get instant alerts for systems at work time at work
Be the first to know when new unknown vulnerabilities affecting systems at work time at work are published — delivered to Slack, Telegram or Discord.
Get Free Alerts →
Free · No credit card · 60 sec setup
Affected Versions
systems at work / time at work
7.0.5
References
Credits
Enrique Fernández Lorenzo (Bighound)