CVE-2025-15560
Feb. 19, 2026, 3:52 p.m.
None
No Score
Description
An authenticated attacker with minimal permissions can exploit a SQL injection in the WorkTime server "widget" API endpoint to inject SQL queries. If the Firebird backend is used, attackers are able to retrieve all data from the database backend. If the MSSQL backend is used the attacker can execute arbitrary SQL statements on the database backend and gain access to sensitive data.
Product(s) Impacted
| Vendor | Product | Versions |
|---|---|---|
| Worktime |
|
|
Weaknesses
Common security weaknesses mapped to this vulnerability.
CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component.
*CPE(s)
Affected systems and software identified for this CVE.
| Type | Vendor | Product | Version | Update | Edition | Language | Software Edition | Target Software | Target Hardware | Other Information |
|---|---|---|---|---|---|---|---|---|---|---|
| a | worktime | worktime_server | / | / | / | / | / | / | / | / |
| a | worktime | widget_api | / | / | / | / | / | / | / | / |
References
Tags
Timeline
Published: Feb. 19, 2026, 11:15 a.m.
Last Modified: Feb. 19, 2026, 3:52 p.m.
Last Modified: Feb. 19, 2026, 3:52 p.m.
Status : Undergoing Analysis
CVE is currently being analyzed by NVD staff, this process results in association of reference link tags, CVSS scores, CWE association, and CPE applicability statements.
More infoSource
551230f0-3615-47bd-b7cc-93e92e730bbf
*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.