Jorani: Unauthorized SQL Commands Can Be Executed

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

7.6

Jorani: Unauthorized SQL Commands Can Be Executed

CVE-2025-67102

Summary

A security issue in Jorani's all-day offs feature allows an authorized user to execute unintended database commands, potentially leading to data tampering or unauthorized access. This vulnerability affects Jorani versions up to 1.0.4. To protect your system, update to the latest version of Jorani as soon as possible.

Original title

A SQL injection vulnerability in the alldayoffs feature in Jorani up to v1.0.4, allows an authenticated attacker to execute arbitrary SQL commands via the entity parameter.

Original description

A SQL injection vulnerability in the alldayoffs feature in Jorani up to v1.0.4, allows an authenticated attacker to execute arbitrary SQL commands via the entity parameter.

Vulnerability type

CWE-89 SQL Injection

https://github.com/bbalet/jorani
https://www.helx.io/blog/advisory-jorani/

Published: 17 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026