Unrated severityNVD Advisory· Published Feb 19, 2026· Updated Feb 23, 2026

SQL Injection in NesterSoft WorkTime

CVE-2025-15560

Description

An authenticated attacker with minimal permissions can exploit a SQL injection in the WorkTime server "widget" API endpoint to inject SQL queries. If the Firebird backend is used, attackers are able to retrieve all data from the database backend. If the MSSQL backend is used the attacker can execute arbitrary SQL statements on the database backend and gain access to sensitive data.

Affected products

Nestersoft Inc./Worktime (on Prem/cloud)v5
Range: <= 11.8.8

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

r.sec-consult.com/worktimemitrethird-party-advisory

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000