QwikSec

Security Database

CVE

CWE

Training

CVE Database
/

CVE-2025-15560

Back to search

CVE-2025-15560

Published: Feb 19, 2026

Modified: Feb 23, 2026

PUBLISHED

Description

An authenticated attacker with minimal permissions can exploit a SQL injection in the WorkTime server "widget" API endpoint to inject SQL queries. If the Firebird backend is used, attackers are able to retrieve all data from the database backend. If the MSSQL backend is used the attacker can execute arbitrary SQL statements on the database backend and gain access to sensitive data.

VendorProductVersions

NesterSoft Inc.

WorkTime (on-prem/cloud)

affected
<= 11.8.8

Weaknesses (CWE)

CWE-89

References

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now
CVE-2025-15560 - Security Vulnerability | QwikSec