Back to search
CVE-2025-15562
Published: Feb 19, 2026
Modified: Feb 20, 2026
PUBLISHED
Description
The server API endpoint /report/internet/urls reflects received data into the HTML response without applying proper encoding or filtering. This allows an attacker to execute arbitrary JavaScript in the victim's browser if the victim opens a URL prepared by the attacker.
| Vendor | Product | Versions |
|---|---|---|
NesterSoft Inc. | WorkTime (on-prem/cloud) | affected <= 11.8.8 |
Weaknesses (CWE)
References
https://r.sec-consult.com/worktime
third-party-advisory
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now